From: Greg Kroah-Hartman Date: Wed, 1 Jan 2020 17:26:57 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.4.208~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8932d9384ef6ecaa3ddec2bba1c8fd454dc4324d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: 6pack-mkiss-fix-possible-deadlock.patch drm-limit-to-int_max-in-create_blob-ioctl.patch hrtimer-annotate-lockless-access-to-timer-state.patch inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch net-add-a-read_once-in-skb_peek_tail.patch net-icmp-fix-data-race-in-cmp_global_allow.patch net-smc-add-fallback-check-to-connect.patch netfilter-bridge-make-sure-to-pull-arp-header-in-br_nf_forward_arp.patch netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch powerpc-fix-__clear_user-with-kuap-enabled.patch revert-iwlwifi-assign-directly-to-iwl_trans-cfg-in-quz-detection.patch shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch tomoyo-don-t-use-nifty-names-on-sockets.patch uaccess-disallow-int_max-copy-sizes.patch xfs-fix-mount-failure-crash-on-invalid-iclog-memory-access.patch --- diff --git a/queue-5.4/6pack-mkiss-fix-possible-deadlock.patch b/queue-5.4/6pack-mkiss-fix-possible-deadlock.patch new file mode 100644 index 00000000000..ae5c76f0a22 --- /dev/null +++ b/queue-5.4/6pack-mkiss-fix-possible-deadlock.patch @@ -0,0 +1,178 @@ +From 5c9934b6767b16ba60be22ec3cbd4379ad64170d Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 12 Dec 2019 10:32:13 -0800 +Subject: 6pack,mkiss: fix possible deadlock + +From: Eric Dumazet + +commit 5c9934b6767b16ba60be22ec3cbd4379ad64170d upstream. + +We got another syzbot report [1] that tells us we must use +write_lock_irq()/write_unlock_irq() to avoid possible deadlock. + +[1] + +WARNING: inconsistent lock state +5.5.0-rc1-syzkaller #0 Not tainted +-------------------------------- +inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage. +syz-executor826/9605 [HC1[1]:SC0[0]:HE0:SE1] takes: +ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138 +{HARDIRQ-ON-W} state was registered at: + lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485 + __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline] + _raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319 + sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657 + tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489 + tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585 + tiocsetd drivers/tty/tty_io.c:2337 [inline] + tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597 + vfs_ioctl fs/ioctl.c:47 [inline] + file_ioctl fs/ioctl.c:545 [inline] + do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 + ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 + __do_sys_ioctl fs/ioctl.c:756 [inline] + __se_sys_ioctl fs/ioctl.c:754 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +irq event stamp: 3946 +hardirqs last enabled at (3945): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline] +hardirqs last enabled at (3945): [] _raw_spin_unlock_irq+0x23/0x80 kernel/locking/spinlock.c:199 +hardirqs last disabled at (3946): [] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42 +softirqs last enabled at (2658): [] spin_unlock_bh include/linux/spinlock.h:383 [inline] +softirqs last enabled at (2658): [] clusterip_netdev_event+0x46f/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:222 +softirqs last disabled at (2656): [] spin_lock_bh include/linux/spinlock.h:343 [inline] +softirqs last disabled at (2656): [] clusterip_netdev_event+0x1bb/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:196 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(disc_data_lock); + + lock(disc_data_lock); + + *** DEADLOCK *** + +5 locks held by syz-executor826/9605: + #0: ffff8880a905e198 (&tty->legacy_mutex){+.+.}, at: tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19 + #1: ffffffff899a56c0 (rcu_read_lock){....}, at: mutex_spin_on_owner+0x0/0x330 kernel/locking/mutex.c:413 + #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline] + #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116 + #3: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823 + #4: ffff8880a905e090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288 + +stack backtrace: +CPU: 1 PID: 9605 Comm: syz-executor826 Not tainted 5.5.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101 + valid_state kernel/locking/lockdep.c:3112 [inline] + mark_lock_irq kernel/locking/lockdep.c:3309 [inline] + mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666 + mark_usage kernel/locking/lockdep.c:3554 [inline] + __lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909 + lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485 + __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] + _raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223 + sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138 + sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402 + tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536 + tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50 + tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387 + uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104 + serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761 + serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834 + serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline] + serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850 + serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126 + __handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149 + handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189 + handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206 + handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830 + generic_handle_irq_desc include/linux/irqdesc.h:156 [inline] + do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250 + common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607 + +RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:685 [inline] +RIP: 0010:mutex_spin_on_owner+0x247/0x330 kernel/locking/mutex.c:579 +Code: c3 be 08 00 00 00 4c 89 e7 e8 e5 06 59 00 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 0f 85 e1 00 00 00 49 8b 04 24 a8 01 75 96 f3 90 2f fe ff ff 0f 0b e8 0d 19 09 00 84 c0 0f 85 ff fd ff ff 48 c7 +RSP: 0018:ffffc90001eafa20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd7 +RAX: 0000000000000000 RBX: ffff88809fd9e0c0 RCX: 1ffffffff13266dd +RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000 +RBP: ffffc90001eafa60 R08: 1ffff11013d22898 R09: ffffed1013d22899 +R10: ffffed1013d22898 R11: ffff88809e9144c7 R12: ffff8880a905e138 +R13: ffff88809e9144c0 R14: 0000000000000000 R15: dffffc0000000000 + mutex_optimistic_spin kernel/locking/mutex.c:673 [inline] + __mutex_lock_common kernel/locking/mutex.c:962 [inline] + __mutex_lock+0x32b/0x13c0 kernel/locking/mutex.c:1106 + mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121 + tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19 + tty_release+0xb5/0xe90 drivers/tty/tty_io.c:1665 + __fput+0x2ff/0x890 fs/file_table.c:280 + ____fput+0x16/0x20 fs/file_table.c:313 + task_work_run+0x145/0x1c0 kernel/task_work.c:113 + exit_task_work include/linux/task_work.h:22 [inline] + do_exit+0x8e7/0x2ef0 kernel/exit.c:797 + do_group_exit+0x135/0x360 kernel/exit.c:895 + __do_sys_exit_group kernel/exit.c:906 [inline] + __se_sys_exit_group kernel/exit.c:904 [inline] + __x64_sys_exit_group+0x44/0x50 kernel/exit.c:904 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x43fef8 +Code: Bad RIP value. +RSP: 002b:00007ffdb07d2338 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fef8 +RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 +RBP: 00000000004bf730 R08: 00000000000000e7 R09: ffffffffffffffd0 +R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 +R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 + +Fixes: 6e4e2f811bad ("6pack,mkiss: fix lock inconsistency") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Arnd Bergmann +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/hamradio/6pack.c | 4 ++-- + drivers/net/hamradio/mkiss.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/hamradio/6pack.c ++++ b/drivers/net/hamradio/6pack.c +@@ -654,10 +654,10 @@ static void sixpack_close(struct tty_str + { + struct sixpack *sp; + +- write_lock_bh(&disc_data_lock); ++ write_lock_irq(&disc_data_lock); + sp = tty->disc_data; + tty->disc_data = NULL; +- write_unlock_bh(&disc_data_lock); ++ write_unlock_irq(&disc_data_lock); + if (!sp) + return; + +--- a/drivers/net/hamradio/mkiss.c ++++ b/drivers/net/hamradio/mkiss.c +@@ -773,10 +773,10 @@ static void mkiss_close(struct tty_struc + { + struct mkiss *ax; + +- write_lock_bh(&disc_data_lock); ++ write_lock_irq(&disc_data_lock); + ax = tty->disc_data; + tty->disc_data = NULL; +- write_unlock_bh(&disc_data_lock); ++ write_unlock_irq(&disc_data_lock); + + if (!ax) + return; diff --git a/queue-5.4/drm-limit-to-int_max-in-create_blob-ioctl.patch b/queue-5.4/drm-limit-to-int_max-in-create_blob-ioctl.patch new file mode 100644 index 00000000000..daab1e99837 --- /dev/null +++ b/queue-5.4/drm-limit-to-int_max-in-create_blob-ioctl.patch @@ -0,0 +1,40 @@ +From 5bf8bec3f4ce044a223c40cbce92590d938f0e9c Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Wed, 4 Dec 2019 16:52:37 -0800 +Subject: drm: limit to INT_MAX in create_blob ioctl + +From: Daniel Vetter + +commit 5bf8bec3f4ce044a223c40cbce92590d938f0e9c upstream. + +The hardened usercpy code is too paranoid ever since commit 6a30afa8c1fb +("uaccess: disallow > INT_MAX copy sizes") + +Code itself should have been fine as-is. + +Link: http://lkml.kernel.org/r/20191106164755.31478-1-daniel.vetter@ffwll.ch +Signed-off-by: Daniel Vetter +Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com +Fixes: 6a30afa8c1fb ("uaccess: disallow > INT_MAX copy sizes") +Cc: Kees Cook +Cc: Alexander Viro +Cc: Stephen Rothwell +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_property.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_property.c ++++ b/drivers/gpu/drm/drm_property.c +@@ -561,7 +561,7 @@ drm_property_create_blob(struct drm_devi + struct drm_property_blob *blob; + int ret; + +- if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) ++ if (!length || length > INT_MAX - sizeof(struct drm_property_blob)) + return ERR_PTR(-EINVAL); + + blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); diff --git a/queue-5.4/hrtimer-annotate-lockless-access-to-timer-state.patch b/queue-5.4/hrtimer-annotate-lockless-access-to-timer-state.patch new file mode 100644 index 00000000000..cdbabd71acc --- /dev/null +++ b/queue-5.4/hrtimer-annotate-lockless-access-to-timer-state.patch @@ -0,0 +1,160 @@ +From 56144737e67329c9aaed15f942d46a6302e2e3d8 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 6 Nov 2019 09:48:04 -0800 +Subject: hrtimer: Annotate lockless access to timer->state + +From: Eric Dumazet + +commit 56144737e67329c9aaed15f942d46a6302e2e3d8 upstream. + +syzbot reported various data-race caused by hrtimer_is_queued() reading +timer->state. A READ_ONCE() is required there to silence the warning. + +Also add the corresponding WRITE_ONCE() when timer->state is set. + +In remove_hrtimer() the hrtimer_is_queued() helper is open coded to avoid +loading timer->state twice. + +KCSAN reported these cases: + +BUG: KCSAN: data-race in __remove_hrtimer / tcp_pacing_check + +write to 0xffff8880b2a7d388 of 1 bytes by interrupt on cpu 0: + __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991 + __run_hrtimer kernel/time/hrtimer.c:1496 [inline] + __hrtimer_run_queues+0x250/0x600 kernel/time/hrtimer.c:1576 + hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593 + __do_softirq+0x115/0x33f kernel/softirq.c:292 + run_ksoftirqd+0x46/0x60 kernel/softirq.c:603 + smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165 + kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 + +read to 0xffff8880b2a7d388 of 1 bytes by task 24652 on cpu 1: + tcp_pacing_check net/ipv4/tcp_output.c:2235 [inline] + tcp_pacing_check+0xba/0x130 net/ipv4/tcp_output.c:2225 + tcp_xmit_retransmit_queue+0x32c/0x5a0 net/ipv4/tcp_output.c:3044 + tcp_xmit_recovery+0x7c/0x120 net/ipv4/tcp_input.c:3558 + tcp_ack+0x17b6/0x3170 net/ipv4/tcp_input.c:3717 + tcp_rcv_established+0x37e/0xf50 net/ipv4/tcp_input.c:5696 + tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561 + sk_backlog_rcv include/net/sock.h:945 [inline] + __release_sock+0x135/0x1e0 net/core/sock.c:2435 + release_sock+0x61/0x160 net/core/sock.c:2951 + sk_stream_wait_memory+0x3d7/0x7c0 net/core/stream.c:145 + tcp_sendmsg_locked+0xb47/0x1f30 net/ipv4/tcp.c:1393 + tcp_sendmsg+0x39/0x60 net/ipv4/tcp.c:1434 + inet_sendmsg+0x6d/0x90 net/ipv4/af_inet.c:807 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg+0x9f/0xc0 net/socket.c:657 + +BUG: KCSAN: data-race in __remove_hrtimer / __tcp_ack_snd_check + +write to 0xffff8880a3a65588 of 1 bytes by interrupt on cpu 0: + __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991 + __run_hrtimer kernel/time/hrtimer.c:1496 [inline] + __hrtimer_run_queues+0x250/0x600 kernel/time/hrtimer.c:1576 + hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593 + __do_softirq+0x115/0x33f kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:373 [inline] + irq_exit+0xbb/0xe0 kernel/softirq.c:413 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 + +read to 0xffff8880a3a65588 of 1 bytes by task 22891 on cpu 1: + __tcp_ack_snd_check+0x415/0x4f0 net/ipv4/tcp_input.c:5265 + tcp_ack_snd_check net/ipv4/tcp_input.c:5287 [inline] + tcp_rcv_established+0x750/0xf50 net/ipv4/tcp_input.c:5708 + tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561 + sk_backlog_rcv include/net/sock.h:945 [inline] + __release_sock+0x135/0x1e0 net/core/sock.c:2435 + release_sock+0x61/0x160 net/core/sock.c:2951 + sk_stream_wait_memory+0x3d7/0x7c0 net/core/stream.c:145 + tcp_sendmsg_locked+0xb47/0x1f30 net/ipv4/tcp.c:1393 + tcp_sendmsg+0x39/0x60 net/ipv4/tcp.c:1434 + inet_sendmsg+0x6d/0x90 net/ipv4/af_inet.c:807 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg+0x9f/0xc0 net/socket.c:657 + __sys_sendto+0x21f/0x320 net/socket.c:1952 + __do_sys_sendto net/socket.c:1964 [inline] + __se_sys_sendto net/socket.c:1960 [inline] + __x64_sys_sendto+0x89/0xb0 net/socket.c:1960 + do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 24652 Comm: syz-executor.3 Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +[ tglx: Added comments ] + +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20191106174804.74723-1-edumazet@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/hrtimer.h | 14 ++++++++++---- + kernel/time/hrtimer.c | 11 +++++++---- + 2 files changed, 17 insertions(+), 8 deletions(-) + +--- a/include/linux/hrtimer.h ++++ b/include/linux/hrtimer.h +@@ -456,12 +456,18 @@ extern u64 hrtimer_next_event_without(co + + extern bool hrtimer_active(const struct hrtimer *timer); + +-/* +- * Helper function to check, whether the timer is on one of the queues ++/** ++ * hrtimer_is_queued = check, whether the timer is on one of the queues ++ * @timer: Timer to check ++ * ++ * Returns: True if the timer is queued, false otherwise ++ * ++ * The function can be used lockless, but it gives only a current snapshot. + */ +-static inline int hrtimer_is_queued(struct hrtimer *timer) ++static inline bool hrtimer_is_queued(struct hrtimer *timer) + { +- return timer->state & HRTIMER_STATE_ENQUEUED; ++ /* The READ_ONCE pairs with the update functions of timer->state */ ++ return !!(READ_ONCE(timer->state) & HRTIMER_STATE_ENQUEUED); + } + + /* +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -966,7 +966,8 @@ static int enqueue_hrtimer(struct hrtime + + base->cpu_base->active_bases |= 1 << base->index; + +- timer->state = HRTIMER_STATE_ENQUEUED; ++ /* Pairs with the lockless read in hrtimer_is_queued() */ ++ WRITE_ONCE(timer->state, HRTIMER_STATE_ENQUEUED); + + return timerqueue_add(&base->active, &timer->node); + } +@@ -988,7 +989,8 @@ static void __remove_hrtimer(struct hrti + struct hrtimer_cpu_base *cpu_base = base->cpu_base; + u8 state = timer->state; + +- timer->state = newstate; ++ /* Pairs with the lockless read in hrtimer_is_queued() */ ++ WRITE_ONCE(timer->state, newstate); + if (!(state & HRTIMER_STATE_ENQUEUED)) + return; + +@@ -1013,8 +1015,9 @@ static void __remove_hrtimer(struct hrti + static inline int + remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base, bool restart) + { +- if (hrtimer_is_queued(timer)) { +- u8 state = timer->state; ++ u8 state = timer->state; ++ ++ if (state & HRTIMER_STATE_ENQUEUED) { + int reprogram; + + /* diff --git a/queue-5.4/inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch b/queue-5.4/inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch new file mode 100644 index 00000000000..cffdfe8a95f --- /dev/null +++ b/queue-5.4/inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch @@ -0,0 +1,93 @@ +From 71685eb4ce80ae9c49eff82ca4dd15acab215de9 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 7 Nov 2019 10:30:42 -0800 +Subject: inetpeer: fix data-race in inet_putpeer / inet_putpeer + +From: Eric Dumazet + +commit 71685eb4ce80ae9c49eff82ca4dd15acab215de9 upstream. + +We need to explicitely forbid read/store tearing in inet_peer_gc() +and inet_putpeer(). + +The following syzbot report reminds us about inet_putpeer() +running without a lock held. + +BUG: KCSAN: data-race in inet_putpeer / inet_putpeer + +write to 0xffff888121fb2ed0 of 4 bytes by interrupt on cpu 0: + inet_putpeer+0x37/0xa0 net/ipv4/inetpeer.c:240 + ip4_frag_free+0x3d/0x50 net/ipv4/ip_fragment.c:102 + inet_frag_destroy_rcu+0x58/0x80 net/ipv4/inet_fragment.c:228 + __rcu_reclaim kernel/rcu/rcu.h:222 [inline] + rcu_do_batch+0x256/0x5b0 kernel/rcu/tree.c:2157 + rcu_core+0x369/0x4d0 kernel/rcu/tree.c:2377 + rcu_core_si+0x12/0x20 kernel/rcu/tree.c:2386 + __do_softirq+0x115/0x33f kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:373 [inline] + irq_exit+0xbb/0xe0 kernel/softirq.c:413 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 + native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71 + arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571 + default_idle_call+0x1e/0x40 kernel/sched/idle.c:94 + cpuidle_idle_call kernel/sched/idle.c:154 [inline] + do_idle+0x1af/0x280 kernel/sched/idle.c:263 + +write to 0xffff888121fb2ed0 of 4 bytes by interrupt on cpu 1: + inet_putpeer+0x37/0xa0 net/ipv4/inetpeer.c:240 + ip4_frag_free+0x3d/0x50 net/ipv4/ip_fragment.c:102 + inet_frag_destroy_rcu+0x58/0x80 net/ipv4/inet_fragment.c:228 + __rcu_reclaim kernel/rcu/rcu.h:222 [inline] + rcu_do_batch+0x256/0x5b0 kernel/rcu/tree.c:2157 + rcu_core+0x369/0x4d0 kernel/rcu/tree.c:2377 + rcu_core_si+0x12/0x20 kernel/rcu/tree.c:2386 + __do_softirq+0x115/0x33f kernel/softirq.c:292 + run_ksoftirqd+0x46/0x60 kernel/softirq.c:603 + smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165 + kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 4b9d9be839fd ("inetpeer: remove unused list") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/inetpeer.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/net/ipv4/inetpeer.c ++++ b/net/ipv4/inetpeer.c +@@ -160,7 +160,12 @@ static void inet_peer_gc(struct inet_pee + base->total / inet_peer_threshold * HZ; + for (i = 0; i < gc_cnt; i++) { + p = gc_stack[i]; +- delta = (__u32)jiffies - p->dtime; ++ ++ /* The READ_ONCE() pairs with the WRITE_ONCE() ++ * in inet_putpeer() ++ */ ++ delta = (__u32)jiffies - READ_ONCE(p->dtime); ++ + if (delta < ttl || !refcount_dec_if_one(&p->refcnt)) + gc_stack[i] = NULL; + } +@@ -237,7 +242,10 @@ EXPORT_SYMBOL_GPL(inet_getpeer); + + void inet_putpeer(struct inet_peer *p) + { +- p->dtime = (__u32)jiffies; ++ /* The WRITE_ONCE() pairs with itself (we run lockless) ++ * and the READ_ONCE() in inet_peer_gc() ++ */ ++ WRITE_ONCE(p->dtime, (__u32)jiffies); + + if (refcount_dec_and_test(&p->refcnt)) + call_rcu(&p->rcu, inetpeer_free_rcu); diff --git a/queue-5.4/md-make-sure-desc_nr-less-than-md_sb_disks.patch b/queue-5.4/md-make-sure-desc_nr-less-than-md_sb_disks.patch index e32b89e1825..658d93e8f9f 100644 --- a/queue-5.4/md-make-sure-desc_nr-less-than-md_sb_disks.patch +++ b/queue-5.4/md-make-sure-desc_nr-less-than-md_sb_disks.patch @@ -15,14 +15,12 @@ Signed-off-by: Yufen Yu Signed-off-by: Song Liu Signed-off-by: Sasha Levin --- - drivers/md/md.c | 1 + + drivers/md/md.c | 1 + 1 file changed, 1 insertion(+) -diff --git a/drivers/md/md.c b/drivers/md/md.c -index 805b33e27496..4e7c9f398bc6 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c -@@ -1159,6 +1159,7 @@ static int super_90_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor +@@ -1159,6 +1159,7 @@ static int super_90_load(struct md_rdev /* not spare disk, or LEVEL_MULTIPATH */ if (sb->level == LEVEL_MULTIPATH || (rdev->desc_nr >= 0 && @@ -30,6 +28,3 @@ index 805b33e27496..4e7c9f398bc6 100644 sb->disks[rdev->desc_nr].state & ((1< +Date: Thu, 7 Nov 2019 18:49:43 -0800 +Subject: net: add a READ_ONCE() in skb_peek_tail() + +From: Eric Dumazet + +commit f8cc62ca3e660ae3fdaee533b1d554297cd2ae82 upstream. + +skb_peek_tail() can be used without protection of a lock, +as spotted by KCSAN [1] + +In order to avoid load-stearing, add a READ_ONCE() + +Note that the corresponding WRITE_ONCE() are already there. + +[1] +BUG: KCSAN: data-race in sk_wait_data / skb_queue_tail + +read to 0xffff8880b36a4118 of 8 bytes by task 20426 on cpu 1: + skb_peek_tail include/linux/skbuff.h:1784 [inline] + sk_wait_data+0x15b/0x250 net/core/sock.c:2477 + kcm_wait_data+0x112/0x1f0 net/kcm/kcmsock.c:1103 + kcm_recvmsg+0xac/0x320 net/kcm/kcmsock.c:1130 + sock_recvmsg_nosec net/socket.c:871 [inline] + sock_recvmsg net/socket.c:889 [inline] + sock_recvmsg+0x92/0xb0 net/socket.c:885 + ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480 + do_recvmmsg+0x19a/0x5c0 net/socket.c:2601 + __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680 + __do_sys_recvmmsg net/socket.c:2703 [inline] + __se_sys_recvmmsg net/socket.c:2696 [inline] + __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696 + do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +write to 0xffff8880b36a4118 of 8 bytes by task 451 on cpu 0: + __skb_insert include/linux/skbuff.h:1852 [inline] + __skb_queue_before include/linux/skbuff.h:1958 [inline] + __skb_queue_tail include/linux/skbuff.h:1991 [inline] + skb_queue_tail+0x7e/0xc0 net/core/skbuff.c:3145 + kcm_queue_rcv_skb+0x202/0x310 net/kcm/kcmsock.c:206 + kcm_rcv_strparser+0x74/0x4b0 net/kcm/kcmsock.c:370 + __strp_recv+0x348/0xf50 net/strparser/strparser.c:309 + strp_recv+0x84/0xa0 net/strparser/strparser.c:343 + tcp_read_sock+0x174/0x5c0 net/ipv4/tcp.c:1639 + strp_read_sock+0xd4/0x140 net/strparser/strparser.c:366 + do_strp_work net/strparser/strparser.c:414 [inline] + strp_work+0x9a/0xe0 net/strparser/strparser.c:423 + process_one_work+0x3d4/0x890 kernel/workqueue.c:2269 + worker_thread+0xa0/0x800 kernel/workqueue.c:2415 + kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 451 Comm: kworker/u4:3 Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: kstrp strp_work + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/skbuff.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1795,7 +1795,7 @@ static inline struct sk_buff *skb_peek_n + */ + static inline struct sk_buff *skb_peek_tail(const struct sk_buff_head *list_) + { +- struct sk_buff *skb = list_->prev; ++ struct sk_buff *skb = READ_ONCE(list_->prev); + + if (skb == (struct sk_buff *)list_) + skb = NULL; +@@ -1861,7 +1861,9 @@ static inline void __skb_insert(struct s + struct sk_buff *prev, struct sk_buff *next, + struct sk_buff_head *list) + { +- /* see skb_queue_empty_lockless() for the opposite READ_ONCE() */ ++ /* See skb_queue_empty_lockless() and skb_peek_tail() ++ * for the opposite READ_ONCE() ++ */ + WRITE_ONCE(newsk->next, next); + WRITE_ONCE(newsk->prev, prev); + WRITE_ONCE(next->prev, newsk); diff --git a/queue-5.4/net-icmp-fix-data-race-in-cmp_global_allow.patch b/queue-5.4/net-icmp-fix-data-race-in-cmp_global_allow.patch new file mode 100644 index 00000000000..6d3aa3ec724 --- /dev/null +++ b/queue-5.4/net-icmp-fix-data-race-in-cmp_global_allow.patch @@ -0,0 +1,116 @@ +From bbab7ef235031f6733b5429ae7877bfa22339712 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 8 Nov 2019 10:34:47 -0800 +Subject: net: icmp: fix data-race in cmp_global_allow() + +From: Eric Dumazet + +commit bbab7ef235031f6733b5429ae7877bfa22339712 upstream. + +This code reads two global variables without protection +of a lock. We need READ_ONCE()/WRITE_ONCE() pairs to +avoid load/store-tearing and better document the intent. + +KCSAN reported : +BUG: KCSAN: data-race in icmp_global_allow / icmp_global_allow + +read to 0xffffffff861a8014 of 4 bytes by task 11201 on cpu 0: + icmp_global_allow+0x36/0x1b0 net/ipv4/icmp.c:254 + icmpv6_global_allow net/ipv6/icmp.c:184 [inline] + icmpv6_global_allow net/ipv6/icmp.c:179 [inline] + icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514 + icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43 + ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640 + dst_link_failure include/net/dst.h:419 [inline] + vti_xmit net/ipv4/ip_vti.c:243 [inline] + vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279 + __netdev_start_xmit include/linux/netdevice.h:4420 [inline] + netdev_start_xmit include/linux/netdevice.h:4434 [inline] + xmit_one net/core/dev.c:3280 [inline] + dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296 + __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873 + dev_queue_xmit+0x21/0x30 net/core/dev.c:3906 + neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530 + neigh_output include/net/neighbour.h:511 [inline] + ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116 + __ip6_finish_output net/ipv6/ip6_output.c:142 [inline] + __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127 + ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152 + NF_HOOK_COND include/linux/netfilter.h:294 [inline] + ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175 + dst_output include/net/dst.h:436 [inline] + ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179 + +write to 0xffffffff861a8014 of 4 bytes by task 11183 on cpu 1: + icmp_global_allow+0x174/0x1b0 net/ipv4/icmp.c:272 + icmpv6_global_allow net/ipv6/icmp.c:184 [inline] + icmpv6_global_allow net/ipv6/icmp.c:179 [inline] + icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514 + icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43 + ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640 + dst_link_failure include/net/dst.h:419 [inline] + vti_xmit net/ipv4/ip_vti.c:243 [inline] + vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279 + __netdev_start_xmit include/linux/netdevice.h:4420 [inline] + netdev_start_xmit include/linux/netdevice.h:4434 [inline] + xmit_one net/core/dev.c:3280 [inline] + dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296 + __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873 + dev_queue_xmit+0x21/0x30 net/core/dev.c:3906 + neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530 + neigh_output include/net/neighbour.h:511 [inline] + ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116 + __ip6_finish_output net/ipv6/ip6_output.c:142 [inline] + __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127 + ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152 + NF_HOOK_COND include/linux/netfilter.h:294 [inline] + ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 11183 Comm: syz-executor.2 Not tainted 5.4.0-rc3+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 4cdf507d5452 ("icmp: add a global rate limitation") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/icmp.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -249,10 +249,11 @@ bool icmp_global_allow(void) + bool rc = false; + + /* Check if token bucket is empty and cannot be refilled +- * without taking the spinlock. ++ * without taking the spinlock. The READ_ONCE() are paired ++ * with the following WRITE_ONCE() in this same function. + */ +- if (!icmp_global.credit) { +- delta = min_t(u32, now - icmp_global.stamp, HZ); ++ if (!READ_ONCE(icmp_global.credit)) { ++ delta = min_t(u32, now - READ_ONCE(icmp_global.stamp), HZ); + if (delta < HZ / 50) + return false; + } +@@ -262,14 +263,14 @@ bool icmp_global_allow(void) + if (delta >= HZ / 50) { + incr = sysctl_icmp_msgs_per_sec * delta / HZ ; + if (incr) +- icmp_global.stamp = now; ++ WRITE_ONCE(icmp_global.stamp, now); + } + credit = min_t(u32, icmp_global.credit + incr, sysctl_icmp_msgs_burst); + if (credit) { + credit--; + rc = true; + } +- icmp_global.credit = credit; ++ WRITE_ONCE(icmp_global.credit, credit); + spin_unlock(&icmp_global.lock); + return rc; + } diff --git a/queue-5.4/net-smc-add-fallback-check-to-connect.patch b/queue-5.4/net-smc-add-fallback-check-to-connect.patch new file mode 100644 index 00000000000..071ea8f0972 --- /dev/null +++ b/queue-5.4/net-smc-add-fallback-check-to-connect.patch @@ -0,0 +1,95 @@ +From 86434744fedf0cfe07a9eee3f4632c0e25c1d136 Mon Sep 17 00:00:00 2001 +From: Ursula Braun +Date: Thu, 12 Dec 2019 22:35:58 +0100 +Subject: net/smc: add fallback check to connect() + +From: Ursula Braun + +commit 86434744fedf0cfe07a9eee3f4632c0e25c1d136 upstream. + +FASTOPEN setsockopt() or sendmsg() may switch the SMC socket to fallback +mode. Once fallback mode is active, the native TCP socket functions are +called. Nevertheless there is a small race window, when FASTOPEN +setsockopt/sendmsg runs in parallel to a connect(), and switch the +socket into fallback mode before connect() takes the sock lock. +Make sure the SMC-specific connect setup is omitted in this case. + +This way a syzbot-reported refcount problem is fixed, triggered by +different threads running non-blocking connect() and FASTOPEN_KEY +setsockopt. + +Reported-by: syzbot+96d3f9ff6a86d37e44c8@syzkaller.appspotmail.com +Fixes: 6d6dd528d5af ("net/smc: fix refcount non-blocking connect() -part 2") +Signed-off-by: Ursula Braun +Signed-off-by: Karsten Graul +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + net/smc/af_smc.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -854,6 +854,8 @@ static int smc_connect(struct socket *so + goto out; + + sock_hold(&smc->sk); /* sock put in passive closing */ ++ if (smc->use_fallback) ++ goto out; + if (flags & O_NONBLOCK) { + if (schedule_work(&smc->connect_work)) + smc->connect_nonblock = 1; +@@ -1716,8 +1718,6 @@ static int smc_setsockopt(struct socket + sk->sk_err = smc->clcsock->sk->sk_err; + sk->sk_error_report(sk); + } +- if (rc) +- return rc; + + if (optlen < sizeof(int)) + return -EINVAL; +@@ -1725,6 +1725,8 @@ static int smc_setsockopt(struct socket + return -EFAULT; + + lock_sock(sk); ++ if (rc || smc->use_fallback) ++ goto out; + switch (optname) { + case TCP_ULP: + case TCP_FASTOPEN: +@@ -1736,15 +1738,14 @@ static int smc_setsockopt(struct socket + smc_switch_to_fallback(smc); + smc->fallback_rsn = SMC_CLC_DECL_OPTUNSUPP; + } else { +- if (!smc->use_fallback) +- rc = -EINVAL; ++ rc = -EINVAL; + } + break; + case TCP_NODELAY: + if (sk->sk_state != SMC_INIT && + sk->sk_state != SMC_LISTEN && + sk->sk_state != SMC_CLOSED) { +- if (val && !smc->use_fallback) ++ if (val) + mod_delayed_work(system_wq, &smc->conn.tx_work, + 0); + } +@@ -1753,7 +1754,7 @@ static int smc_setsockopt(struct socket + if (sk->sk_state != SMC_INIT && + sk->sk_state != SMC_LISTEN && + sk->sk_state != SMC_CLOSED) { +- if (!val && !smc->use_fallback) ++ if (!val) + mod_delayed_work(system_wq, &smc->conn.tx_work, + 0); + } +@@ -1764,6 +1765,7 @@ static int smc_setsockopt(struct socket + default: + break; + } ++out: + release_sock(sk); + + return rc; diff --git a/queue-5.4/netfilter-bridge-make-sure-to-pull-arp-header-in-br_nf_forward_arp.patch b/queue-5.4/netfilter-bridge-make-sure-to-pull-arp-header-in-br_nf_forward_arp.patch new file mode 100644 index 00000000000..341dbc95c95 --- /dev/null +++ b/queue-5.4/netfilter-bridge-make-sure-to-pull-arp-header-in-br_nf_forward_arp.patch @@ -0,0 +1,110 @@ +From 5604285839aaedfb23ebe297799c6e558939334d Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sat, 7 Dec 2019 14:43:39 -0800 +Subject: netfilter: bridge: make sure to pull arp header in br_nf_forward_arp() + +From: Eric Dumazet + +commit 5604285839aaedfb23ebe297799c6e558939334d upstream. + +syzbot is kind enough to remind us we need to call skb_may_pull() + +BUG: KMSAN: uninit-value in br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665 +CPU: 1 PID: 11631 Comm: syz-executor.1 Not tainted 5.4.0-rc8-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108 + __msan_warning+0x64/0xc0 mm/kmsan/kmsan_instr.c:245 + br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665 + nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline] + nf_hook_slow+0x18b/0x3f0 net/netfilter/core.c:512 + nf_hook include/linux/netfilter.h:260 [inline] + NF_HOOK include/linux/netfilter.h:303 [inline] + __br_forward+0x78f/0xe30 net/bridge/br_forward.c:109 + br_flood+0xef0/0xfe0 net/bridge/br_forward.c:234 + br_handle_frame_finish+0x1a77/0x1c20 net/bridge/br_input.c:162 + nf_hook_bridge_pre net/bridge/br_input.c:245 [inline] + br_handle_frame+0xfb6/0x1eb0 net/bridge/br_input.c:348 + __netif_receive_skb_core+0x20b9/0x51a0 net/core/dev.c:4830 + __netif_receive_skb_one_core net/core/dev.c:4927 [inline] + __netif_receive_skb net/core/dev.c:5043 [inline] + process_backlog+0x610/0x13c0 net/core/dev.c:5874 + napi_poll net/core/dev.c:6311 [inline] + net_rx_action+0x7a6/0x1aa0 net/core/dev.c:6379 + __do_softirq+0x4a1/0x83a kernel/softirq.c:293 + do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1091 + + do_softirq kernel/softirq.c:338 [inline] + __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:190 + local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 + rcu_read_unlock_bh include/linux/rcupdate.h:688 [inline] + __dev_queue_xmit+0x38e8/0x4200 net/core/dev.c:3819 + dev_queue_xmit+0x4b/0x60 net/core/dev.c:3825 + packet_snd net/packet/af_packet.c:2959 [inline] + packet_sendmsg+0x8234/0x9100 net/packet/af_packet.c:2984 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg net/socket.c:657 [inline] + __sys_sendto+0xc44/0xc70 net/socket.c:1952 + __do_sys_sendto net/socket.c:1964 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:1960 + __x64_sys_sendto+0x6e/0x90 net/socket.c:1960 + do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45a679 +Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f0a3c9e5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045a679 +RDX: 000000000000000e RSI: 0000000020000200 RDI: 0000000000000003 +RBP: 000000000075bf20 R08: 00000000200000c0 R09: 0000000000000014 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0a3c9e66d4 +R13: 00000000004c8ec1 R14: 00000000004dfe28 R15: 00000000ffffffff + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline] + kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132 + kmsan_slab_alloc+0x97/0x100 mm/kmsan/kmsan_hooks.c:86 + slab_alloc_node mm/slub.c:2773 [inline] + __kmalloc_node_track_caller+0xe27/0x11a0 mm/slub.c:4381 + __kmalloc_reserve net/core/skbuff.c:141 [inline] + __alloc_skb+0x306/0xa10 net/core/skbuff.c:209 + alloc_skb include/linux/skbuff.h:1049 [inline] + alloc_skb_with_frags+0x18c/0xa80 net/core/skbuff.c:5662 + sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2244 + packet_alloc_skb net/packet/af_packet.c:2807 [inline] + packet_snd net/packet/af_packet.c:2902 [inline] + packet_sendmsg+0x63a6/0x9100 net/packet/af_packet.c:2984 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg net/socket.c:657 [inline] + __sys_sendto+0xc44/0xc70 net/socket.c:1952 + __do_sys_sendto net/socket.c:1964 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:1960 + __x64_sys_sendto+0x6e/0x90 net/socket.c:1960 + do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: c4e70a87d975 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/br_netfilter_hooks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -662,6 +662,9 @@ static unsigned int br_nf_forward_arp(vo + nf_bridge_pull_encap_header(skb); + } + ++ if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr)))) ++ return NF_DROP; ++ + if (arp_hdr(skb)->ar_pln != 4) { + if (is_vlan_arp(skb, state->net)) + nf_bridge_push_encap_header(skb); diff --git a/queue-5.4/netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch b/queue-5.4/netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch new file mode 100644 index 00000000000..bcc2a9841b7 --- /dev/null +++ b/queue-5.4/netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch @@ -0,0 +1,138 @@ +From e608f631f0ba5f1fc5ee2e260a3a35d13107cbfe Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sun, 15 Dec 2019 03:49:25 +0100 +Subject: netfilter: ebtables: compat: reject all padding in matches/watchers + +From: Florian Westphal + +commit e608f631f0ba5f1fc5ee2e260a3a35d13107cbfe upstream. + +syzbot reported following splat: + +BUG: KASAN: vmalloc-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline] +BUG: KASAN: vmalloc-out-of-bounds in compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155 +Read of size 4 at addr ffffc900004461f4 by task syz-executor267/7937 + +CPU: 1 PID: 7937 Comm: syz-executor267 Not tainted 5.5.0-rc1-syzkaller #0 + size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline] + compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155 + compat_do_replace+0x344/0x720 net/bridge/netfilter/ebtables.c:2249 + compat_do_ebt_set_ctl+0x22f/0x27e net/bridge/netfilter/ebtables.c:2333 + [..] + +Because padding isn't considered during computation of ->buf_user_offset, +"total" is decremented by fewer bytes than it should. + +Therefore, the first part of + +if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry)) + +will pass, -- it should not have. This causes oob access: +entry->next_offset is past the vmalloced size. + +Reject padding and check that computed user offset (sum of ebt_entry +structure plus all individual matches/watchers/targets) is same +value that userspace gave us as the offset of the next entry. + +Reported-by: syzbot+f68108fed972453a0ad4@syzkaller.appspotmail.com +Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/netfilter/ebtables.c | 33 ++++++++++++++++----------------- + 1 file changed, 16 insertions(+), 17 deletions(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1867,7 +1867,7 @@ static int ebt_buf_count(struct ebt_entr + } + + static int ebt_buf_add(struct ebt_entries_buf_state *state, +- void *data, unsigned int sz) ++ const void *data, unsigned int sz) + { + if (state->buf_kern_start == NULL) + goto count_only; +@@ -1901,7 +1901,7 @@ enum compat_mwt { + EBT_COMPAT_TARGET, + }; + +-static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt, ++static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt, + enum compat_mwt compat_mwt, + struct ebt_entries_buf_state *state, + const unsigned char *base) +@@ -1979,22 +1979,23 @@ static int compat_mtw_from_user(struct c + /* return size of all matches, watchers or target, including necessary + * alignment and padding. + */ +-static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, ++static int ebt_size_mwt(const struct compat_ebt_entry_mwt *match32, + unsigned int size_left, enum compat_mwt type, + struct ebt_entries_buf_state *state, const void *base) + { ++ const char *buf = (const char *)match32; + int growth = 0; +- char *buf; + + if (size_left == 0) + return 0; + +- buf = (char *) match32; +- +- while (size_left >= sizeof(*match32)) { ++ do { + struct ebt_entry_match *match_kern; + int ret; + ++ if (size_left < sizeof(*match32)) ++ return -EINVAL; ++ + match_kern = (struct ebt_entry_match *) state->buf_kern_start; + if (match_kern) { + char *tmp; +@@ -2031,22 +2032,18 @@ static int ebt_size_mwt(struct compat_eb + if (match_kern) + match_kern->match_size = ret; + +- /* rule should have no remaining data after target */ +- if (type == EBT_COMPAT_TARGET && size_left) +- return -EINVAL; +- + match32 = (struct compat_ebt_entry_mwt *) buf; +- } ++ } while (size_left); + + return growth; + } + + /* called for all ebt_entry structures. */ +-static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, ++static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *base, + unsigned int *total, + struct ebt_entries_buf_state *state) + { +- unsigned int i, j, startoff, new_offset = 0; ++ unsigned int i, j, startoff, next_expected_off, new_offset = 0; + /* stores match/watchers/targets & offset of next struct ebt_entry: */ + unsigned int offsets[4]; + unsigned int *offsets_update = NULL; +@@ -2132,11 +2129,13 @@ static int size_entry_mwt(struct ebt_ent + return ret; + } + +- startoff = state->buf_user_offset - startoff; ++ next_expected_off = state->buf_user_offset - startoff; ++ if (next_expected_off != entry->next_offset) ++ return -EINVAL; + +- if (WARN_ON(*total < startoff)) ++ if (*total < entry->next_offset) + return -EINVAL; +- *total -= startoff; ++ *total -= entry->next_offset; + return 0; + } + diff --git a/queue-5.4/powerpc-fix-__clear_user-with-kuap-enabled.patch b/queue-5.4/powerpc-fix-__clear_user-with-kuap-enabled.patch new file mode 100644 index 00000000000..8322cb250a4 --- /dev/null +++ b/queue-5.4/powerpc-fix-__clear_user-with-kuap-enabled.patch @@ -0,0 +1,110 @@ +From 61e3acd8c693a14fc69b824cb5b08d02cb90a6e7 Mon Sep 17 00:00:00 2001 +From: Andrew Donnellan +Date: Tue, 10 Dec 2019 00:22:21 +1100 +Subject: powerpc: Fix __clear_user() with KUAP enabled + +From: Andrew Donnellan + +commit 61e3acd8c693a14fc69b824cb5b08d02cb90a6e7 upstream. + +The KUAP implementation adds calls in clear_user() to enable and +disable access to userspace memory. However, it doesn't add these to +__clear_user(), which is used in the ptrace regset code. + +As there's only one direct user of __clear_user() (the regset code), +and the time taken to set the AMR for KUAP purposes is going to +dominate the cost of a quick access_ok(), there's not much point +having a separate path. + +Rename __clear_user() to __arch_clear_user(), and make __clear_user() +just call clear_user(). + +Reported-by: syzbot+f25ecf4b2982d8c7a640@syzkaller-ppc64.appspotmail.com +Reported-by: Daniel Axtens +Suggested-by: Michael Ellerman +Fixes: de78a9c42a79 ("powerpc: Add a framework for Kernel Userspace Access Protection") +Signed-off-by: Andrew Donnellan +[mpe: Use __arch_clear_user() for the asm version like arm64 & nds32] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191209132221.15328-1-ajd@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/uaccess.h | 9 +++++++-- + arch/powerpc/lib/string_32.S | 4 ++-- + arch/powerpc/lib/string_64.S | 6 +++--- + 3 files changed, 12 insertions(+), 7 deletions(-) + +--- a/arch/powerpc/include/asm/uaccess.h ++++ b/arch/powerpc/include/asm/uaccess.h +@@ -401,7 +401,7 @@ copy_to_user_mcsafe(void __user *to, con + return n; + } + +-extern unsigned long __clear_user(void __user *addr, unsigned long size); ++unsigned long __arch_clear_user(void __user *addr, unsigned long size); + + static inline unsigned long clear_user(void __user *addr, unsigned long size) + { +@@ -409,12 +409,17 @@ static inline unsigned long clear_user(v + might_fault(); + if (likely(access_ok(addr, size))) { + allow_write_to_user(addr, size); +- ret = __clear_user(addr, size); ++ ret = __arch_clear_user(addr, size); + prevent_write_to_user(addr, size); + } + return ret; + } + ++static inline unsigned long __clear_user(void __user *addr, unsigned long size) ++{ ++ return clear_user(addr, size); ++} ++ + extern long strncpy_from_user(char *dst, const char __user *src, long count); + extern __must_check long strnlen_user(const char __user *str, long n); + +--- a/arch/powerpc/lib/string_32.S ++++ b/arch/powerpc/lib/string_32.S +@@ -17,7 +17,7 @@ CACHELINE_BYTES = L1_CACHE_BYTES + LG_CACHELINE_BYTES = L1_CACHE_SHIFT + CACHELINE_MASK = (L1_CACHE_BYTES-1) + +-_GLOBAL(__clear_user) ++_GLOBAL(__arch_clear_user) + /* + * Use dcbz on the complete cache lines in the destination + * to set them to zero. This requires that the destination +@@ -87,4 +87,4 @@ _GLOBAL(__clear_user) + EX_TABLE(8b, 91b) + EX_TABLE(9b, 91b) + +-EXPORT_SYMBOL(__clear_user) ++EXPORT_SYMBOL(__arch_clear_user) +--- a/arch/powerpc/lib/string_64.S ++++ b/arch/powerpc/lib/string_64.S +@@ -17,7 +17,7 @@ PPC64_CACHES: + .section ".text" + + /** +- * __clear_user: - Zero a block of memory in user space, with less checking. ++ * __arch_clear_user: - Zero a block of memory in user space, with less checking. + * @to: Destination address, in user space. + * @n: Number of bytes to zero. + * +@@ -58,7 +58,7 @@ err3; stb r0,0(r3) + mr r3,r4 + blr + +-_GLOBAL_TOC(__clear_user) ++_GLOBAL_TOC(__arch_clear_user) + cmpdi r4,32 + neg r6,r3 + li r0,0 +@@ -181,4 +181,4 @@ err1; dcbz 0,r3 + cmpdi r4,32 + blt .Lshort_clear + b .Lmedium_clear +-EXPORT_SYMBOL(__clear_user) ++EXPORT_SYMBOL(__arch_clear_user) diff --git a/queue-5.4/revert-iwlwifi-assign-directly-to-iwl_trans-cfg-in-quz-detection.patch b/queue-5.4/revert-iwlwifi-assign-directly-to-iwl_trans-cfg-in-quz-detection.patch new file mode 100644 index 00000000000..a1bcb1cd4d2 --- /dev/null +++ b/queue-5.4/revert-iwlwifi-assign-directly-to-iwl_trans-cfg-in-quz-detection.patch @@ -0,0 +1,61 @@ +From db5cce1afc8d2475d2c1c37c2a8267dd0e151526 Mon Sep 17 00:00:00 2001 +From: Anders Kaseorg +Date: Mon, 2 Dec 2019 17:09:20 -0500 +Subject: Revert "iwlwifi: assign directly to iwl_trans->cfg in QuZ detection" + +From: Anders Kaseorg + +commit db5cce1afc8d2475d2c1c37c2a8267dd0e151526 upstream. + +This reverts commit 968dcfb4905245dc64d65312c0d17692fa087b99. + +Both that commit and commit 809805a820c6445f7a701ded24fdc6bbc841d1e4 +attempted to fix the same bug (dead assignments to the local variable +cfg), but they did so in incompatible ways. When they were both merged, +independently of each other, the combination actually caused the bug to +reappear, leading to a firmware crash on boot for some cards. + +https://bugzilla.kernel.org/show_bug.cgi?id=205719 + +Signed-off-by: Anders Kaseorg +Acked-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -1111,18 +1111,18 @@ static int iwl_pci_probe(struct pci_dev + + /* same thing for QuZ... */ + if (iwl_trans->hw_rev == CSR_HW_REV_TYPE_QUZ) { +- if (iwl_trans->cfg == &iwl_ax101_cfg_qu_hr) +- iwl_trans->cfg = &iwl_ax101_cfg_quz_hr; +- else if (iwl_trans->cfg == &iwl_ax201_cfg_qu_hr) +- iwl_trans->cfg = &iwl_ax201_cfg_quz_hr; +- else if (iwl_trans->cfg == &iwl9461_2ac_cfg_qu_b0_jf_b0) +- iwl_trans->cfg = &iwl9461_2ac_cfg_quz_a0_jf_b0_soc; +- else if (iwl_trans->cfg == &iwl9462_2ac_cfg_qu_b0_jf_b0) +- iwl_trans->cfg = &iwl9462_2ac_cfg_quz_a0_jf_b0_soc; +- else if (iwl_trans->cfg == &iwl9560_2ac_cfg_qu_b0_jf_b0) +- iwl_trans->cfg = &iwl9560_2ac_cfg_quz_a0_jf_b0_soc; +- else if (iwl_trans->cfg == &iwl9560_2ac_160_cfg_qu_b0_jf_b0) +- iwl_trans->cfg = &iwl9560_2ac_160_cfg_quz_a0_jf_b0_soc; ++ if (cfg == &iwl_ax101_cfg_qu_hr) ++ cfg = &iwl_ax101_cfg_quz_hr; ++ else if (cfg == &iwl_ax201_cfg_qu_hr) ++ cfg = &iwl_ax201_cfg_quz_hr; ++ else if (cfg == &iwl9461_2ac_cfg_qu_b0_jf_b0) ++ cfg = &iwl9461_2ac_cfg_quz_a0_jf_b0_soc; ++ else if (cfg == &iwl9462_2ac_cfg_qu_b0_jf_b0) ++ cfg = &iwl9462_2ac_cfg_quz_a0_jf_b0_soc; ++ else if (cfg == &iwl9560_2ac_cfg_qu_b0_jf_b0) ++ cfg = &iwl9560_2ac_cfg_quz_a0_jf_b0_soc; ++ else if (cfg == &iwl9560_2ac_160_cfg_qu_b0_jf_b0) ++ cfg = &iwl9560_2ac_160_cfg_quz_a0_jf_b0_soc; + } + + #endif diff --git a/queue-5.4/series b/queue-5.4/series index 719ec37ff7a..8f78bd77a6e 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -131,3 +131,18 @@ userfaultfd-require-cap_sys_ptrace-for-uffd_feature_.patch revert-powerpc-vcpu-assume-dedicated-processors-as-non-preempt.patch sctp-fix-err-handling-of-stream-initialization.patch md-make-sure-desc_nr-less-than-md_sb_disks.patch +revert-iwlwifi-assign-directly-to-iwl_trans-cfg-in-quz-detection.patch +netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch +6pack-mkiss-fix-possible-deadlock.patch +powerpc-fix-__clear_user-with-kuap-enabled.patch +net-smc-add-fallback-check-to-connect.patch +netfilter-bridge-make-sure-to-pull-arp-header-in-br_nf_forward_arp.patch +inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch +net-add-a-read_once-in-skb_peek_tail.patch +net-icmp-fix-data-race-in-cmp_global_allow.patch +hrtimer-annotate-lockless-access-to-timer-state.patch +tomoyo-don-t-use-nifty-names-on-sockets.patch +uaccess-disallow-int_max-copy-sizes.patch +drm-limit-to-int_max-in-create_blob-ioctl.patch +xfs-fix-mount-failure-crash-on-invalid-iclog-memory-access.patch +shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch diff --git a/queue-5.4/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch b/queue-5.4/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch new file mode 100644 index 00000000000..5c3a7fd2132 --- /dev/null +++ b/queue-5.4/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch @@ -0,0 +1,88 @@ +From 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Sat, 30 Nov 2019 17:50:26 -0800 +Subject: shmem: pin the file in shmem_fault() if mmap_sem is dropped + +From: Kirill A. Shutemov + +commit 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 upstream. + +syzbot found the following crash: + + BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13 + Read of size 8 at addr ffff8880a5cf2c50 by task syz-executor.0/26173 + + CPU: 0 PID: 26173 Comm: syz-executor.0 Not tainted 5.3.0-rc6 #146 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + Call Trace: + perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13 + trace_lock_acquire include/trace/events/lock.h:13 [inline] + lock_acquire+0x2de/0x410 kernel/locking/lockdep.c:4411 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 + spin_lock include/linux/spinlock.h:338 [inline] + shmem_fault+0x5ec/0x7b0 mm/shmem.c:2034 + __do_fault+0x111/0x540 mm/memory.c:3083 + do_shared_fault mm/memory.c:3535 [inline] + do_fault mm/memory.c:3613 [inline] + handle_pte_fault mm/memory.c:3840 [inline] + __handle_mm_fault+0x2adf/0x3f20 mm/memory.c:3964 + handle_mm_fault+0x1b5/0x6b0 mm/memory.c:4001 + do_user_addr_fault arch/x86/mm/fault.c:1441 [inline] + __do_page_fault+0x536/0xdd0 arch/x86/mm/fault.c:1506 + do_page_fault+0x38/0x590 arch/x86/mm/fault.c:1530 + page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1202 + +It happens if the VMA got unmapped under us while we dropped mmap_sem +and inode got freed. + +Pinning the file if we drop mmap_sem fixes the issue. + +Link: http://lkml.kernel.org/r/20190927083908.rhifa4mmaxefc24r@box +Signed-off-by: Kirill A. Shutemov +Reported-by: syzbot+03ee87124ee05af991bd@syzkaller.appspotmail.com +Acked-by: Johannes Weiner +Reviewed-by: Matthew Wilcox (Oracle) +Cc: Hillf Danton +Cc: Hugh Dickins +Cc: Josef Bacik +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/shmem.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2022,16 +2022,14 @@ static vm_fault_t shmem_fault(struct vm_ + shmem_falloc->waitq && + vmf->pgoff >= shmem_falloc->start && + vmf->pgoff < shmem_falloc->next) { ++ struct file *fpin; + wait_queue_head_t *shmem_falloc_waitq; + DEFINE_WAIT_FUNC(shmem_fault_wait, synchronous_wake_function); + + ret = VM_FAULT_NOPAGE; +- if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) && +- !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) { +- /* It's polite to up mmap_sem if we can */ +- up_read(&vma->vm_mm->mmap_sem); ++ fpin = maybe_unlock_mmap_for_io(vmf, NULL); ++ if (fpin) + ret = VM_FAULT_RETRY; +- } + + shmem_falloc_waitq = shmem_falloc->waitq; + prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait, +@@ -2049,6 +2047,9 @@ static vm_fault_t shmem_fault(struct vm_ + spin_lock(&inode->i_lock); + finish_wait(shmem_falloc_waitq, &shmem_fault_wait); + spin_unlock(&inode->i_lock); ++ ++ if (fpin) ++ fput(fpin); + return ret; + } + spin_unlock(&inode->i_lock); diff --git a/queue-5.4/tomoyo-don-t-use-nifty-names-on-sockets.patch b/queue-5.4/tomoyo-don-t-use-nifty-names-on-sockets.patch new file mode 100644 index 00000000000..11956bde864 --- /dev/null +++ b/queue-5.4/tomoyo-don-t-use-nifty-names-on-sockets.patch @@ -0,0 +1,80 @@ +From 6f7c41374b62fd80bbd8aae3536c43688c54d95e Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 25 Nov 2019 10:46:51 +0900 +Subject: tomoyo: Don't use nifty names on sockets. + +From: Tetsuo Handa + +commit 6f7c41374b62fd80bbd8aae3536c43688c54d95e upstream. + +syzbot is reporting that use of SOCKET_I()->sk from open() can result in +use after free problem [1], for socket's inode is still reachable via +/proc/pid/fd/n despite destruction of SOCKET_I()->sk already completed. + +At first I thought that this race condition applies to only open/getattr +permission checks. But James Morris has pointed out that there are more +permission checks where this race condition applies to. Thus, get rid of +tomoyo_get_socket_name() instead of conditionally bypassing permission +checks on sockets. As a side effect of this patch, +"socket:[family=\$:type=\$:protocol=\$]" in the policy files has to be +rewritten to "socket:[\$]". + +[1] https://syzkaller.appspot.com/bug?id=73d590010454403d55164cca23bd0565b1eb3b74 + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Reported-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/tomoyo/realpath.c | 32 +------------------------------- + 1 file changed, 1 insertion(+), 31 deletions(-) + +--- a/security/tomoyo/realpath.c ++++ b/security/tomoyo/realpath.c +@@ -218,31 +218,6 @@ out: + } + + /** +- * tomoyo_get_socket_name - Get the name of a socket. +- * +- * @path: Pointer to "struct path". +- * @buffer: Pointer to buffer to return value in. +- * @buflen: Sizeof @buffer. +- * +- * Returns the buffer. +- */ +-static char *tomoyo_get_socket_name(const struct path *path, char * const buffer, +- const int buflen) +-{ +- struct inode *inode = d_backing_inode(path->dentry); +- struct socket *sock = inode ? SOCKET_I(inode) : NULL; +- struct sock *sk = sock ? sock->sk : NULL; +- +- if (sk) { +- snprintf(buffer, buflen, "socket:[family=%u:type=%u:protocol=%u]", +- sk->sk_family, sk->sk_type, sk->sk_protocol); +- } else { +- snprintf(buffer, buflen, "socket:[unknown]"); +- } +- return buffer; +-} +- +-/** + * tomoyo_realpath_from_path - Returns realpath(3) of the given pathname but ignores chroot'ed root. + * + * @path: Pointer to "struct path". +@@ -279,12 +254,7 @@ char *tomoyo_realpath_from_path(const st + break; + /* To make sure that pos is '\0' terminated. */ + buf[buf_len - 1] = '\0'; +- /* Get better name for socket. */ +- if (sb->s_magic == SOCKFS_MAGIC) { +- pos = tomoyo_get_socket_name(path, buf, buf_len - 1); +- goto encode; +- } +- /* For "pipe:[\$]". */ ++ /* For "pipe:[\$]" and "socket:[\$]". */ + if (dentry->d_op && dentry->d_op->d_dname) { + pos = dentry->d_op->d_dname(dentry, buf, buf_len - 1); + goto encode; diff --git a/queue-5.4/uaccess-disallow-int_max-copy-sizes.patch b/queue-5.4/uaccess-disallow-int_max-copy-sizes.patch new file mode 100644 index 00000000000..5b448344367 --- /dev/null +++ b/queue-5.4/uaccess-disallow-int_max-copy-sizes.patch @@ -0,0 +1,45 @@ +From 6d13de1489b6bf539695f96d945de3860e6d5e17 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 4 Dec 2019 16:52:40 -0800 +Subject: uaccess: disallow > INT_MAX copy sizes + +From: Kees Cook + +commit 6d13de1489b6bf539695f96d945de3860e6d5e17 upstream. + +As we've done with VFS, string operations, etc, reject usercopy sizes +larger than INT_MAX, which would be nice to have for catching bugs +related to size calculation overflows[1]. + +This adds 10 bytes to x86_64 defconfig text and 1980 bytes to the data +section: + + text data bss dec hex filename + 19691167 5134320 1646664 26472151 193eed7 vmlinux.before + 19691177 5136300 1646664 26474141 193f69d vmlinux.after + +[1] https://marc.info/?l=linux-s390&m=156631939010493&w=2 + +Link: http://lkml.kernel.org/r/201908251612.F9902D7A@keescook +Signed-off-by: Kees Cook +Suggested-by: Dan Carpenter +Cc: Alexander Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/thread_info.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/thread_info.h ++++ b/include/linux/thread_info.h +@@ -147,6 +147,8 @@ check_copy_size(const void *addr, size_t + __bad_copy_to(); + return false; + } ++ if (WARN_ON_ONCE(bytes > INT_MAX)) ++ return false; + check_object_size(addr, bytes, is_source); + return true; + } diff --git a/queue-5.4/xfs-fix-mount-failure-crash-on-invalid-iclog-memory-access.patch b/queue-5.4/xfs-fix-mount-failure-crash-on-invalid-iclog-memory-access.patch new file mode 100644 index 00000000000..f04a4d61525 --- /dev/null +++ b/queue-5.4/xfs-fix-mount-failure-crash-on-invalid-iclog-memory-access.patch @@ -0,0 +1,43 @@ +From 798a9cada4694ca8d970259f216cec47e675bfd5 Mon Sep 17 00:00:00 2001 +From: Brian Foster +Date: Tue, 3 Dec 2019 07:53:15 -0800 +Subject: xfs: fix mount failure crash on invalid iclog memory access + +From: Brian Foster + +commit 798a9cada4694ca8d970259f216cec47e675bfd5 upstream. + +syzbot (via KASAN) reports a use-after-free in the error path of +xlog_alloc_log(). Specifically, the iclog freeing loop doesn't +handle the case of a fully initialized ->l_iclog linked list. +Instead, it assumes that the list is partially constructed and NULL +terminated. + +This bug manifested because there was no possible error scenario +after iclog list setup when the original code was added. Subsequent +code and associated error conditions were added some time later, +while the original error handling code was never updated. Fix up the +error loop to terminate either on a NULL iclog or reaching the end +of the list. + +Reported-by: syzbot+c732f8644185de340492@syzkaller.appspotmail.com +Signed-off-by: Brian Foster +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/xfs_log.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/xfs/xfs_log.c ++++ b/fs/xfs/xfs_log.c +@@ -1495,6 +1495,8 @@ out_free_iclog: + prev_iclog = iclog->ic_next; + kmem_free(iclog->ic_data); + kmem_free(iclog); ++ if (prev_iclog == log->l_iclog) ++ break; + } + out_free_log: + kmem_free(log);