From: Greg Kroah-Hartman Date: Tue, 16 Jun 2020 11:20:12 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v5.4.47~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a360968c4899b7f7e6646c22618df9188c90c9f9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: fat-don-t-allow-to-mount-if-the-fat-length-0.patch mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch perf-add-cond_resched-to-task_function_call.patch --- diff --git a/queue-4.14/fat-don-t-allow-to-mount-if-the-fat-length-0.patch b/queue-4.14/fat-don-t-allow-to-mount-if-the-fat-length-0.patch new file mode 100644 index 00000000000..bafdbf4a9b5 --- /dev/null +++ b/queue-4.14/fat-don-t-allow-to-mount-if-the-fat-length-0.patch @@ -0,0 +1,42 @@ +From b1b65750b8db67834482f758fc385bfa7560d228 Mon Sep 17 00:00:00 2001 +From: OGAWA Hirofumi +Date: Thu, 4 Jun 2020 16:50:56 -0700 +Subject: fat: don't allow to mount if the FAT length == 0 + +From: OGAWA Hirofumi + +commit b1b65750b8db67834482f758fc385bfa7560d228 upstream. + +If FAT length == 0, the image doesn't have any data. And it can be the +cause of overlapping the root dir and FAT entries. + +Also Windows treats it as invalid format. + +Reported-by: syzbot+6f1624f937d9d6911e2d@syzkaller.appspotmail.com +Signed-off-by: OGAWA Hirofumi +Signed-off-by: Andrew Morton +Cc: Marco Elver +Cc: Dmitry Vyukov +Link: http://lkml.kernel.org/r/87r1wz8mrd.fsf@mail.parknet.co.jp +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fat/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/fat/inode.c ++++ b/fs/fat/inode.c +@@ -1512,6 +1512,12 @@ static int fat_read_bpb(struct super_blo + goto out; + } + ++ if (bpb->fat_fat_length == 0 && bpb->fat32_length == 0) { ++ if (!silent) ++ fat_msg(sb, KERN_ERR, "bogus number of FAT sectors"); ++ goto out; ++ } ++ + error = 0; + + out: diff --git a/queue-4.14/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch b/queue-4.14/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch new file mode 100644 index 00000000000..37aab032cd6 --- /dev/null +++ b/queue-4.14/mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch @@ -0,0 +1,77 @@ +From dde3c6b72a16c2db826f54b2d49bdea26c3534a2 Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Wed, 3 Jun 2020 15:56:21 -0700 +Subject: mm/slub: fix a memory leak in sysfs_slab_add() + +From: Wang Hai + +commit dde3c6b72a16c2db826f54b2d49bdea26c3534a2 upstream. + +syzkaller reports for memory leak when kobject_init_and_add() returns an +error in the function sysfs_slab_add() [1] + +When this happened, the function kobject_put() is not called for the +corresponding kobject, which potentially leads to memory leak. + +This patch fixes the issue by calling kobject_put() even if +kobject_init_and_add() fails. + +[1] + BUG: memory leak + unreferenced object 0xffff8880a6d4be88 (size 8): + comm "syz-executor.3", pid 946, jiffies 4295772514 (age 18.396s) + hex dump (first 8 bytes): + 70 69 64 5f 33 00 ff ff pid_3... + backtrace: + kstrdup+0x35/0x70 mm/util.c:60 + kstrdup_const+0x3d/0x50 mm/util.c:82 + kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 + kobject_set_name_vargs+0x55/0x130 lib/kobject.c:289 + kobject_add_varg lib/kobject.c:384 [inline] + kobject_init_and_add+0xd8/0x170 lib/kobject.c:473 + sysfs_slab_add+0x1d8/0x290 mm/slub.c:5811 + __kmem_cache_create+0x50a/0x570 mm/slub.c:4384 + create_cache+0x113/0x1e0 mm/slab_common.c:407 + kmem_cache_create_usercopy+0x1a1/0x260 mm/slab_common.c:505 + kmem_cache_create+0xd/0x10 mm/slab_common.c:564 + create_pid_cachep kernel/pid_namespace.c:54 [inline] + create_pid_namespace kernel/pid_namespace.c:96 [inline] + copy_pid_ns+0x77c/0x8f0 kernel/pid_namespace.c:148 + create_new_namespaces+0x26b/0xa30 kernel/nsproxy.c:95 + unshare_nsproxy_namespaces+0xa7/0x1e0 kernel/nsproxy.c:229 + ksys_unshare+0x3d2/0x770 kernel/fork.c:2969 + __do_sys_unshare kernel/fork.c:3037 [inline] + __se_sys_unshare kernel/fork.c:3035 [inline] + __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3035 + do_syscall_64+0xa1/0x530 arch/x86/entry/common.c:295 + +Fixes: 80da026a8e5d ("mm/slub: fix slab double-free in case of duplicate sysfs filename") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Andrew Morton +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Link: http://lkml.kernel.org/r/20200602115033.1054-1-wanghai38@huawei.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -5727,8 +5727,10 @@ static int sysfs_slab_add(struct kmem_ca + + s->kobj.kset = kset; + err = kobject_init_and_add(&s->kobj, &slab_ktype, NULL, "%s", name); +- if (err) ++ if (err) { ++ kobject_put(&s->kobj); + goto out; ++ } + + err = sysfs_create_group(&s->kobj, &slab_attr_group); + if (err) diff --git a/queue-4.14/perf-add-cond_resched-to-task_function_call.patch b/queue-4.14/perf-add-cond_resched-to-task_function_call.patch new file mode 100644 index 00000000000..26f931597bb --- /dev/null +++ b/queue-4.14/perf-add-cond_resched-to-task_function_call.patch @@ -0,0 +1,68 @@ +From 2ed6edd33a214bca02bd2b45e3fc3038a059436b Mon Sep 17 00:00:00 2001 +From: Barret Rhoden +Date: Tue, 14 Apr 2020 18:29:20 -0400 +Subject: perf: Add cond_resched() to task_function_call() + +From: Barret Rhoden + +commit 2ed6edd33a214bca02bd2b45e3fc3038a059436b upstream. + +Under rare circumstances, task_function_call() can repeatedly fail and +cause a soft lockup. + +There is a slight race where the process is no longer running on the cpu +we targeted by the time remote_function() runs. The code will simply +try again. If we are very unlucky, this will continue to fail, until a +watchdog fires. This can happen in a heavily loaded, multi-core virtual +machine. + +Reported-by: syzbot+bb4935a5c09b5ff79940@syzkaller.appspotmail.com +Signed-off-by: Barret Rhoden +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20200414222920.121401-1-brho@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -94,11 +94,11 @@ static void remote_function(void *data) + * @info: the function call argument + * + * Calls the function @func when the task is currently running. This might +- * be on the current CPU, which just calls the function directly ++ * be on the current CPU, which just calls the function directly. This will ++ * retry due to any failures in smp_call_function_single(), such as if the ++ * task_cpu() goes offline concurrently. + * +- * returns: @func return value, or +- * -ESRCH - when the process isn't running +- * -EAGAIN - when the process moved away ++ * returns @func return value or -ESRCH when the process isn't running + */ + static int + task_function_call(struct task_struct *p, remote_function_f func, void *info) +@@ -111,11 +111,16 @@ task_function_call(struct task_struct *p + }; + int ret; + +- do { +- ret = smp_call_function_single(task_cpu(p), remote_function, &data, 1); +- if (!ret) +- ret = data.ret; +- } while (ret == -EAGAIN); ++ for (;;) { ++ ret = smp_call_function_single(task_cpu(p), remote_function, ++ &data, 1); ++ ret = !ret ? data.ret : -EAGAIN; ++ ++ if (ret != -EAGAIN) ++ break; ++ ++ cond_resched(); ++ } + + return ret; + } diff --git a/queue-4.14/series b/queue-4.14/series index 4ba1a541230..3e63417619f 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -64,3 +64,6 @@ ath9k-fix-use-after-free-write-in-ath9k_htc_rx_msg.patch ath9x-fix-stack-out-of-bounds-write-in-ath9k_hif_usb_rx_cb.patch ath9k-fix-general-protection-fault-in-ath9k_hif_usb_rx_cb.patch smack-slab-out-of-bounds-in-vsscanf.patch +mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch +fat-don-t-allow-to-mount-if-the-fat-length-0.patch +perf-add-cond_resched-to-task_function_call.patch