From: Greg Kroah-Hartman Date: Mon, 29 Apr 2019 12:03:22 +0000 (+0200) Subject: 5.0-stable patches X-Git-Tag: v4.9.172~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9cab07951361b7899de4d94ae05331e3b141a7c9;p=thirdparty%2Fkernel%2Fstable-queue.git 5.0-stable patches added patches: binder-fix-handling-of-misaligned-binder-object.patch loop-do-not-print-warn-message-if-partition-scan-is-successful.patch sched-deadline-correctly-handle-active-0-lag-timers.patch slip-make-slhc_free-silently-accept-an-error-pointer.patch tipc-handle-the-err-returned-from-cmd-header-function.patch workqueue-try-to-catch-flush_work-without-init_work.patch --- diff --git a/queue-5.0/binder-fix-handling-of-misaligned-binder-object.patch b/queue-5.0/binder-fix-handling-of-misaligned-binder-object.patch new file mode 100644 index 00000000000..1f18f504a67 --- /dev/null +++ b/queue-5.0/binder-fix-handling-of-misaligned-binder-object.patch @@ -0,0 +1,58 @@ +From 26528be6720bb40bc8844e97ee73a37e530e9c5e Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Thu, 14 Feb 2019 15:22:57 -0800 +Subject: binder: fix handling of misaligned binder object + +From: Todd Kjos + +commit 26528be6720bb40bc8844e97ee73a37e530e9c5e upstream. + +Fixes crash found by syzbot: +kernel BUG at drivers/android/binder_alloc.c:LINE! (2) + +Reported-and-tested-by: syzbot+55de1eb4975dec156d8f@syzkaller.appspotmail.com +Signed-off-by: Todd Kjos +Reviewed-by: Joel Fernandes (Google) +Cc: stable # 5.0, 4.19, 4.14 +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder_alloc.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -959,14 +959,13 @@ enum lru_status binder_alloc_free_page(s + + index = page - alloc->pages; + page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE; ++ ++ mm = alloc->vma_vm_mm; ++ if (!mmget_not_zero(mm)) ++ goto err_mmget; ++ if (!down_write_trylock(&mm->mmap_sem)) ++ goto err_down_write_mmap_sem_failed; + vma = binder_alloc_get_vma(alloc); +- if (vma) { +- if (!mmget_not_zero(alloc->vma_vm_mm)) +- goto err_mmget; +- mm = alloc->vma_vm_mm; +- if (!down_write_trylock(&mm->mmap_sem)) +- goto err_down_write_mmap_sem_failed; +- } + + list_lru_isolate(lru, item); + spin_unlock(lock); +@@ -979,10 +978,9 @@ enum lru_status binder_alloc_free_page(s + PAGE_SIZE); + + trace_binder_unmap_user_end(alloc, index); +- +- up_write(&mm->mmap_sem); +- mmput(mm); + } ++ up_write(&mm->mmap_sem); ++ mmput(mm); + + trace_binder_unmap_kernel_start(alloc, index); + diff --git a/queue-5.0/loop-do-not-print-warn-message-if-partition-scan-is-successful.patch b/queue-5.0/loop-do-not-print-warn-message-if-partition-scan-is-successful.patch new file mode 100644 index 00000000000..631a6e7082b --- /dev/null +++ b/queue-5.0/loop-do-not-print-warn-message-if-partition-scan-is-successful.patch @@ -0,0 +1,35 @@ +From 40853d6fc619a6fd3d3177c3973a2eac9b598a80 Mon Sep 17 00:00:00 2001 +From: Dongli Zhang +Date: Fri, 22 Feb 2019 22:10:19 +0800 +Subject: loop: do not print warn message if partition scan is successful + +From: Dongli Zhang + +commit 40853d6fc619a6fd3d3177c3973a2eac9b598a80 upstream. + +Do not print warn message when the partition scan returns 0. + +Fixes: d57f3374ba48 ("loop: Move special partition reread handling in loop_clr_fd()") +Signed-off-by: Dongli Zhang +Reviewed-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1111,8 +1111,9 @@ out_unlock: + err = __blkdev_reread_part(bdev); + else + err = blkdev_reread_part(bdev); +- pr_warn("%s: partition scan of loop%d failed (rc=%d)\n", +- __func__, lo_number, err); ++ if (err) ++ pr_warn("%s: partition scan of loop%d failed (rc=%d)\n", ++ __func__, lo_number, err); + /* Device is gone, no point in returning error */ + err = 0; + } diff --git a/queue-5.0/sched-deadline-correctly-handle-active-0-lag-timers.patch b/queue-5.0/sched-deadline-correctly-handle-active-0-lag-timers.patch new file mode 100644 index 00000000000..6487c9402cb --- /dev/null +++ b/queue-5.0/sched-deadline-correctly-handle-active-0-lag-timers.patch @@ -0,0 +1,64 @@ +From 1b02cd6a2d7f3e2a6a5262887d2cb2912083e42f Mon Sep 17 00:00:00 2001 +From: luca abeni +Date: Mon, 25 Mar 2019 14:15:30 +0100 +Subject: sched/deadline: Correctly handle active 0-lag timers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: luca abeni + +commit 1b02cd6a2d7f3e2a6a5262887d2cb2912083e42f upstream. + +syzbot reported the following warning: + + [ ] WARNING: CPU: 4 PID: 17089 at kernel/sched/deadline.c:255 task_non_contending+0xae0/0x1950 + +line 255 of deadline.c is: + + WARN_ON(hrtimer_active(&dl_se->inactive_timer)); + +in task_non_contending(). + +Unfortunately, in some cases (for example, a deadline task +continuosly blocking and waking immediately) it can happen that +a task blocks (and task_non_contending() is called) while the +0-lag timer is still active. + +In this case, the safest thing to do is to immediately decrease +the running bandwidth of the task, without trying to re-arm the 0-lag timer. + +Signed-off-by: luca abeni +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Juri Lelli +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: chengjian (D) +Link: https://lkml.kernel.org/r/20190325131530.34706-1-luca.abeni@santannapisa.it +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/deadline.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -252,7 +252,6 @@ static void task_non_contending(struct t + if (dl_entity_is_special(dl_se)) + return; + +- WARN_ON(hrtimer_active(&dl_se->inactive_timer)); + WARN_ON(dl_se->dl_non_contending); + + zerolag_time = dl_se->deadline - +@@ -269,7 +268,7 @@ static void task_non_contending(struct t + * If the "0-lag time" already passed, decrease the active + * utilization now, instead of starting a timer + */ +- if (zerolag_time < 0) { ++ if ((zerolag_time < 0) || hrtimer_active(&dl_se->inactive_timer)) { + if (dl_task(p)) + sub_running_bw(dl_se, dl_rq); + if (!dl_task(p) || p->state == TASK_DEAD) { diff --git a/queue-5.0/series b/queue-5.0/series index be4383ab715..bfb6456e0c4 100644 --- a/queue-5.0/series +++ b/queue-5.0/series @@ -46,3 +46,9 @@ drm-vc4-fix-compilation-error-reported-by-kbuild-test-bot.patch usb-add-new-usb-lpm-helpers.patch usb-consolidate-lpm-checks-to-avoid-enabling-lpm-twice.patch ext4-fix-some-error-pointer-dereferences.patch +loop-do-not-print-warn-message-if-partition-scan-is-successful.patch +tipc-handle-the-err-returned-from-cmd-header-function.patch +slip-make-slhc_free-silently-accept-an-error-pointer.patch +workqueue-try-to-catch-flush_work-without-init_work.patch +binder-fix-handling-of-misaligned-binder-object.patch +sched-deadline-correctly-handle-active-0-lag-timers.patch diff --git a/queue-5.0/slip-make-slhc_free-silently-accept-an-error-pointer.patch b/queue-5.0/slip-make-slhc_free-silently-accept-an-error-pointer.patch new file mode 100644 index 00000000000..c52a7c0a0bc --- /dev/null +++ b/queue-5.0/slip-make-slhc_free-silently-accept-an-error-pointer.patch @@ -0,0 +1,48 @@ +From baf76f0c58aec435a3a864075b8f6d8ee5d1f17e Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 25 Apr 2019 16:13:58 -0700 +Subject: slip: make slhc_free() silently accept an error pointer + +From: Linus Torvalds + +commit baf76f0c58aec435a3a864075b8f6d8ee5d1f17e upstream. + +This way, slhc_free() accepts what slhc_init() returns, whether that is +an error or not. + +In particular, the pattern in sl_alloc_bufs() is + + slcomp = slhc_init(16, 16); + ... + slhc_free(slcomp); + +for the error handling path, and rather than complicate that code, just +make it ok to always free what was returned by the init function. + +That's what the code used to do before commit 4ab42d78e37a ("ppp, slip: +Validate VJ compression slot parameters completely") when slhc_init() +just returned NULL for the error case, with no actual indication of the +details of the error. + +Reported-by: syzbot+45474c076a4927533d2e@syzkaller.appspotmail.com +Fixes: 4ab42d78e37a ("ppp, slip: Validate VJ compression slot parameters completely") +Acked-by: Ben Hutchings +Cc: David Miller +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/slip/slhc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -153,7 +153,7 @@ out_fail: + void + slhc_free(struct slcompress *comp) + { +- if ( comp == NULLSLCOMPR ) ++ if ( IS_ERR_OR_NULL(comp) ) + return; + + if ( comp->tstate != NULLSLSTATE ) diff --git a/queue-5.0/tipc-handle-the-err-returned-from-cmd-header-function.patch b/queue-5.0/tipc-handle-the-err-returned-from-cmd-header-function.patch new file mode 100644 index 00000000000..c2854545766 --- /dev/null +++ b/queue-5.0/tipc-handle-the-err-returned-from-cmd-header-function.patch @@ -0,0 +1,77 @@ +From 2ac695d1d602ce00b12170242f58c3d3a8e36d04 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sun, 31 Mar 2019 22:50:10 +0800 +Subject: tipc: handle the err returned from cmd header function + +From: Xin Long + +commit 2ac695d1d602ce00b12170242f58c3d3a8e36d04 upstream. + +Syzbot found a crash: + + BUG: KMSAN: uninit-value in tipc_nl_compat_name_table_dump+0x54f/0xcd0 net/tipc/netlink_compat.c:872 + Call Trace: + tipc_nl_compat_name_table_dump+0x54f/0xcd0 net/tipc/netlink_compat.c:872 + __tipc_nl_compat_dumpit+0x59e/0xda0 net/tipc/netlink_compat.c:215 + tipc_nl_compat_dumpit+0x63a/0x820 net/tipc/netlink_compat.c:280 + tipc_nl_compat_handle net/tipc/netlink_compat.c:1226 [inline] + tipc_nl_compat_recv+0x1b5f/0x2750 net/tipc/netlink_compat.c:1265 + genl_family_rcv_msg net/netlink/genetlink.c:601 [inline] + genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626 + netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477 + genl_rcv+0x63/0x80 net/netlink/genetlink.c:637 + netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] + netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336 + netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:622 [inline] + sock_sendmsg net/socket.c:632 [inline] + + Uninit was created at: + __alloc_skb+0x309/0xa20 net/core/skbuff.c:208 + alloc_skb include/linux/skbuff.h:1012 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] + netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:622 [inline] + sock_sendmsg net/socket.c:632 [inline] + +It was supposed to be fixed on commit 974cb0e3e7c9 ("tipc: fix uninit-value +in tipc_nl_compat_name_table_dump") by checking TLV_GET_DATA_LEN(msg->req) +in cmd->header()/tipc_nl_compat_name_table_dump_header(), which is called +ahead of tipc_nl_compat_name_table_dump(). + +However, tipc_nl_compat_dumpit() doesn't handle the error returned from cmd +header function. It means even when the check added in that fix fails, it +won't stop calling tipc_nl_compat_name_table_dump(), and the issue will be +triggered again. + +So this patch is to add the process for the err returned from cmd header +function in tipc_nl_compat_dumpit(). + +Reported-by: syzbot+3ce8520484b0d4e260a5@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/netlink_compat.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -267,8 +267,14 @@ static int tipc_nl_compat_dumpit(struct + if (msg->rep_type) + tipc_tlv_init(msg->rep, msg->rep_type); + +- if (cmd->header) +- (*cmd->header)(msg); ++ if (cmd->header) { ++ err = (*cmd->header)(msg); ++ if (err) { ++ kfree_skb(msg->rep); ++ msg->rep = NULL; ++ return err; ++ } ++ } + + arg = nlmsg_new(0, GFP_KERNEL); + if (!arg) { diff --git a/queue-5.0/workqueue-try-to-catch-flush_work-without-init_work.patch b/queue-5.0/workqueue-try-to-catch-flush_work-without-init_work.patch new file mode 100644 index 00000000000..37b7c6ad545 --- /dev/null +++ b/queue-5.0/workqueue-try-to-catch-flush_work-without-init_work.patch @@ -0,0 +1,43 @@ +From 4d43d395fed124631ca02356c711facb90185175 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Wed, 23 Jan 2019 09:44:12 +0900 +Subject: workqueue: Try to catch flush_work() without INIT_WORK(). + +From: Tetsuo Handa + +commit 4d43d395fed124631ca02356c711facb90185175 upstream. + +syzbot found a flush_work() caller who forgot to call INIT_WORK() +because that work_struct was allocated by kzalloc() [1]. But the message + + INFO: trying to register non-static key. + the code is fine but needs lockdep annotation. + turning off the locking correctness validator. + +by lock_map_acquire() is failing to tell that INIT_WORK() is missing. + +Since flush_work() without INIT_WORK() is a bug, and INIT_WORK() should +set ->func field to non-zero, let's warn if ->func field is zero. + +[1] https://syzkaller.appspot.com/bug?id=a5954455fcfa51c29ca2ab55b203076337e1c770 + +Signed-off-by: Tetsuo Handa +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/workqueue.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -2931,6 +2931,9 @@ static bool __flush_work(struct work_str + if (WARN_ON(!wq_online)) + return false; + ++ if (WARN_ON(!work->func)) ++ return false; ++ + if (!from_cancel) { + lock_map_acquire(&work->lockdep_map); + lock_map_release(&work->lockdep_map);