From: Greg Kroah-Hartman Date: Mon, 29 Apr 2019 12:26:41 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.9.172~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=afdb8894c0a596b7165124771d0409c7893bc1ab;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: binder-fix-handling-of-misaligned-binder-object.patch fm10k-fix-a-potential-null-pointer-dereference.patch fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch net-netrom-fix-error-cleanup-path-of-nr_proto_init.patch net-rds-check-address-length-before-reading-address-family.patch netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch rxrpc-fix-race-condition-in-rxrpc_input_packet.patch sched-deadline-correctly-handle-active-0-lag-timers.patch slip-make-slhc_free-silently-accept-an-error-pointer.patch tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch workqueue-try-to-catch-flush_work-without-init_work.patch --- diff --git a/queue-4.19/binder-fix-handling-of-misaligned-binder-object.patch b/queue-4.19/binder-fix-handling-of-misaligned-binder-object.patch new file mode 100644 index 00000000000..65b425c8830 --- /dev/null +++ b/queue-4.19/binder-fix-handling-of-misaligned-binder-object.patch @@ -0,0 +1,58 @@ +From 26528be6720bb40bc8844e97ee73a37e530e9c5e Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Thu, 14 Feb 2019 15:22:57 -0800 +Subject: binder: fix handling of misaligned binder object + +From: Todd Kjos + +commit 26528be6720bb40bc8844e97ee73a37e530e9c5e upstream. + +Fixes crash found by syzbot: +kernel BUG at drivers/android/binder_alloc.c:LINE! (2) + +Reported-and-tested-by: syzbot+55de1eb4975dec156d8f@syzkaller.appspotmail.com +Signed-off-by: Todd Kjos +Reviewed-by: Joel Fernandes (Google) +Cc: stable # 5.0, 4.19, 4.14 +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder_alloc.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -958,14 +958,13 @@ enum lru_status binder_alloc_free_page(s + + index = page - alloc->pages; + page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE; ++ ++ mm = alloc->vma_vm_mm; ++ if (!mmget_not_zero(mm)) ++ goto err_mmget; ++ if (!down_write_trylock(&mm->mmap_sem)) ++ goto err_down_write_mmap_sem_failed; + vma = binder_alloc_get_vma(alloc); +- if (vma) { +- if (!mmget_not_zero(alloc->vma_vm_mm)) +- goto err_mmget; +- mm = alloc->vma_vm_mm; +- if (!down_write_trylock(&mm->mmap_sem)) +- goto err_down_write_mmap_sem_failed; +- } + + list_lru_isolate(lru, item); + spin_unlock(lock); +@@ -978,10 +977,9 @@ enum lru_status binder_alloc_free_page(s + PAGE_SIZE); + + trace_binder_unmap_user_end(alloc, index); +- +- up_write(&mm->mmap_sem); +- mmput(mm); + } ++ up_write(&mm->mmap_sem); ++ mmput(mm); + + trace_binder_unmap_kernel_start(alloc, index); + diff --git a/queue-4.19/fm10k-fix-a-potential-null-pointer-dereference.patch b/queue-4.19/fm10k-fix-a-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..2c10fc825db --- /dev/null +++ b/queue-4.19/fm10k-fix-a-potential-null-pointer-dereference.patch @@ -0,0 +1,74 @@ +From 01ca667133d019edc9f0a1f70a272447c84ec41f Mon Sep 17 00:00:00 2001 +From: Yue Haibing +Date: Thu, 21 Mar 2019 22:42:23 +0800 +Subject: fm10k: Fix a potential NULL pointer dereference + +From: Yue Haibing + +commit 01ca667133d019edc9f0a1f70a272447c84ec41f upstream. + +Syzkaller report this: + +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN PTI +CPU: 0 PID: 4378 Comm: syz-executor.0 Tainted: G C 5.0.0+ #5 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +RIP: 0010:__lock_acquire+0x95b/0x3200 kernel/locking/lockdep.c:3573 +Code: 00 0f 85 28 1e 00 00 48 81 c4 08 01 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f c3 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 cc 24 00 00 49 81 7d 00 e0 de 03 a6 41 bc 00 00 +RSP: 0018:ffff8881e3c07a40 EFLAGS: 00010002 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000080 +RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 +R10: ffff8881e3c07d98 R11: ffff8881c7f21f80 R12: 0000000000000001 +R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000001 +FS: 00007fce2252e700(0000) GS:ffff8881f2400000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fffc7eb0228 CR3: 00000001e5bea002 CR4: 00000000007606f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + lock_acquire+0xff/0x2c0 kernel/locking/lockdep.c:4211 + __mutex_lock_common kernel/locking/mutex.c:925 [inline] + __mutex_lock+0xdf/0x1050 kernel/locking/mutex.c:1072 + drain_workqueue+0x24/0x3f0 kernel/workqueue.c:2934 + destroy_workqueue+0x23/0x630 kernel/workqueue.c:4319 + __do_sys_delete_module kernel/module.c:1018 [inline] + __se_sys_delete_module kernel/module.c:961 [inline] + __x64_sys_delete_module+0x30c/0x480 kernel/module.c:961 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fce2252dc58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140 +RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fce2252e6bc +R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff + +If alloc_workqueue fails, it should return -ENOMEM, otherwise may +trigger this NULL pointer dereference while unloading drivers. + +Reported-by: Hulk Robot +Fixes: 0a38c17a21a0 ("fm10k: Remove create_workqueue") +Signed-off-by: Yue Haibing +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/fm10k/fm10k_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/intel/fm10k/fm10k_main.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_main.c +@@ -41,6 +41,8 @@ static int __init fm10k_init_module(void + /* create driver workqueue */ + fm10k_workqueue = alloc_workqueue("%s", WQ_MEM_RECLAIM, 0, + fm10k_driver_name); ++ if (!fm10k_workqueue) ++ return -ENOMEM; + + fm10k_dbg_init(); + diff --git a/queue-4.19/fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch b/queue-4.19/fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch new file mode 100644 index 00000000000..3945fb31203 --- /dev/null +++ b/queue-4.19/fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch @@ -0,0 +1,97 @@ +From 89189557b47b35683a27c80ee78aef18248eefb4 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 25 Apr 2019 22:24:05 -0700 +Subject: fs/proc/proc_sysctl.c: Fix a NULL pointer dereference + +From: YueHaibing + +commit 89189557b47b35683a27c80ee78aef18248eefb4 upstream. + +Syzkaller report this: + + sysctl could not get directory: /net//bridge -12 + kasan: CONFIG_KASAN_INLINE enabled + kasan: GPF could be caused by NULL-ptr deref or user memory access + general protection fault: 0000 [#1] SMP KASAN PTI + CPU: 1 PID: 7027 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 + RIP: 0010:__write_once_size include/linux/compiler.h:220 [inline] + RIP: 0010:__rb_change_child include/linux/rbtree_augmented.h:144 [inline] + RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:186 [inline] + RIP: 0010:rb_erase+0x5f4/0x19f0 lib/rbtree.c:459 + Code: 00 0f 85 60 13 00 00 48 89 1a 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 0c 00 00 4d 85 ed 4c 89 2e 74 ce 4c 89 ea 48 + RSP: 0018:ffff8881bb507778 EFLAGS: 00010206 + RAX: dffffc0000000000 RBX: ffff8881f224b5b8 RCX: ffffffff818f3f6a + RDX: 000000000000000a RSI: 0000000000000050 RDI: ffff8881f224b568 + RBP: 0000000000000000 R08: ffffed10376a0ef4 R09: ffffed10376a0ef4 + R10: 0000000000000001 R11: ffffed10376a0ef4 R12: ffff8881f224b558 + R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + FS: 00007f3e7ce13700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fd60fbe9398 CR3: 00000001cb55c001 CR4: 00000000007606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + erase_entry fs/proc/proc_sysctl.c:178 [inline] + erase_header+0xe3/0x160 fs/proc/proc_sysctl.c:207 + start_unregistering fs/proc/proc_sysctl.c:331 [inline] + drop_sysctl_table+0x558/0x880 fs/proc/proc_sysctl.c:1631 + get_subdir fs/proc/proc_sysctl.c:1022 [inline] + __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335 + br_netfilter_init+0x68/0x1000 [br_netfilter] + do_one_initcall+0xbc/0x47d init/main.c:901 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + Modules linked in: br_netfilter(+) backlight comedi(C) hid_sensor_hub max3100 ti_ads8688 udc_core fddi snd_mona leds_gpio rc_streamzap mtd pata_netcell nf_log_common rc_winfast udp_tunnel snd_usbmidi_lib snd_usb_toneport snd_usb_line6 snd_rawmidi snd_seq_device snd_hwdep videobuf2_v4l2 videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops rc_gadmei_rm008z 8250_of smm665 hid_tmff hid_saitek hwmon_vid rc_ati_tv_wonder_hd_600 rc_core pata_pdc202xx_old dn_rtmsg as3722 ad714x_i2c ad714x snd_soc_cs4265 hid_kensington panel_ilitek_ili9322 drm drm_panel_orientation_quirks ipack cdc_phonet usbcore phonet hid_jabra hid extcon_arizona can_dev industrialio_triggered_buffer kfifo_buf industrialio adm1031 i2c_mux_ltc4306 i2c_mux ipmi_msghandler mlxsw_core snd_soc_cs35l34 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer ac97_bus snd_compress snd soundcore gpio_da9055 uio ecdh_generic mdio_thunder of_mdio fixed_phy libphy mdio_cavium iptable_security iptable_raw iptable_mangle + iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ide_pci_generic piix aes_x86_64 crypto_simd cryptd ide_core glue_helper input_leds psmouse intel_agp intel_gtt serio_raw ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: br_netfilter] + Dumping ftrace buffer: + (ftrace buffer empty) + ---[ end trace 68741688d5fbfe85 ]--- + +commit 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer +dereference in put_links") forgot to handle start_unregistering() case, +while header->parent is NULL, it calls erase_header() and as seen in the +above syzkaller call trace, accessing &header->parent->root will trigger +a NULL pointer dereference. + +As that commit explained, there is also no need to call +start_unregistering() if header->parent is NULL. + +Link: http://lkml.kernel.org/r/20190409153622.28112-1-yuehaibing@huawei.com +Fixes: 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links") +Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets") +Signed-off-by: YueHaibing +Reported-by: Hulk Robot +Reviewed-by: Kees Cook +Cc: Luis Chamberlain +Cc: Alexey Dobriyan +Cc: Al Viro +Cc: "Eric W. Biederman" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/proc_sysctl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -1626,9 +1626,11 @@ static void drop_sysctl_table(struct ctl + if (--header->nreg) + return; + +- if (parent) ++ if (parent) { + put_links(header); +- start_unregistering(header); ++ start_unregistering(header); ++ } ++ + if (!--header->count) + kfree_rcu(header, rcu); + diff --git a/queue-4.19/intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch b/queue-4.19/intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch new file mode 100644 index 00000000000..4d06bb372de --- /dev/null +++ b/queue-4.19/intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch @@ -0,0 +1,34 @@ +From 91d3f8a629849968dc91d6ce54f2d46abf4feb7f Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Fri, 1 Mar 2019 10:09:55 +0200 +Subject: intel_th: gth: Fix an off-by-one in output unassigning + +From: Alexander Shishkin + +commit 91d3f8a629849968dc91d6ce54f2d46abf4feb7f upstream. + +Commit 9ed3f22223c3 ("intel_th: Don't reference unassigned outputs") +fixes a NULL dereference for all masters except the last one ("256+"), +which keeps the stale pointer after the output driver had been unassigned. + +Fix the off-by-one. + +Signed-off-by: Alexander Shishkin +Fixes: 9ed3f22223c3 ("intel_th: Don't reference unassigned outputs") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/gth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/intel_th/gth.c ++++ b/drivers/hwtracing/intel_th/gth.c +@@ -616,7 +616,7 @@ static void intel_th_gth_unassign(struct + othdev->output.port = -1; + othdev->output.active = false; + gth->output[port].output = NULL; +- for (master = 0; master < TH_CONFIGURABLE_MASTERS; master++) ++ for (master = 0; master <= TH_CONFIGURABLE_MASTERS; master++) + if (gth->master[master] == port) + gth->master[master] = -1; + spin_unlock(>h->gth_lock); diff --git a/queue-4.19/net-netrom-fix-error-cleanup-path-of-nr_proto_init.patch b/queue-4.19/net-netrom-fix-error-cleanup-path-of-nr_proto_init.patch new file mode 100644 index 00000000000..93f5bb8c973 --- /dev/null +++ b/queue-4.19/net-netrom-fix-error-cleanup-path-of-nr_proto_init.patch @@ -0,0 +1,250 @@ +From d3706566ae3d92677b932dd156157fd6c72534b1 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Tue, 9 Apr 2019 19:53:55 +0800 +Subject: net: netrom: Fix error cleanup path of nr_proto_init + +From: YueHaibing + +commit d3706566ae3d92677b932dd156157fd6c72534b1 upstream. + +Syzkaller report this: + +BUG: unable to handle kernel paging request at fffffbfff830524b +PGD 237fe8067 P4D 237fe8067 PUD 237e64067 PMD 1c9716067 PTE 0 +Oops: 0000 [#1] SMP KASAN PTI +CPU: 1 PID: 4465 Comm: syz-executor.0 Not tainted 5.0.0+ #5 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +RIP: 0010:__list_add_valid+0x21/0xe0 lib/list_debug.c:23 +Code: 8b 0c 24 e9 17 fd ff ff 90 55 48 89 fd 48 8d 7a 08 53 48 89 d3 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 48 83 ec 08 <80> 3c 02 00 0f 85 8b 00 00 00 48 8b 53 08 48 39 f2 75 35 48 89 f2 +RSP: 0018:ffff8881ea2278d0 EFLAGS: 00010282 +RAX: dffffc0000000000 RBX: ffffffffc1829250 RCX: 1ffff1103d444ef4 +RDX: 1ffffffff830524b RSI: ffffffff85659300 RDI: ffffffffc1829258 +RBP: ffffffffc1879250 R08: fffffbfff0acb269 R09: fffffbfff0acb269 +R10: ffff8881ea2278f0 R11: fffffbfff0acb268 R12: ffffffffc1829250 +R13: dffffc0000000000 R14: 0000000000000008 R15: ffffffffc187c830 +FS: 00007fe0361df700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: fffffbfff830524b CR3: 00000001eb39a001 CR4: 00000000007606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + __list_add include/linux/list.h:60 [inline] + list_add include/linux/list.h:79 [inline] + proto_register+0x444/0x8f0 net/core/sock.c:3375 + nr_proto_init+0x73/0x4b3 [netrom] + ? 0xffffffffc1628000 + ? 0xffffffffc1628000 + do_one_initcall+0xbc/0x47d init/main.c:887 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fe0361dec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 +RBP: 00007fe0361dec70 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe0361df6bc +R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004 +Modules linked in: netrom(+) ax25 fcrypt pcbc af_alg arizona_ldo1 v4l2_common videodev media v4l2_dv_timings hdlc ide_cd_mod snd_soc_sigmadsp_regmap snd_soc_sigmadsp intel_spi_platform intel_spi mtd spi_nor snd_usbmidi_lib usbcore lcd ti_ads7950 hi6421_regulator snd_soc_kbl_rt5663_max98927 snd_soc_hdac_hdmi snd_hda_ext_core snd_hda_core snd_soc_rt5663 snd_soc_core snd_pcm_dmaengine snd_compress snd_soc_rl6231 mac80211 rtc_rc5t583 spi_slave_time leds_pwm hid_gt683r hid industrialio_triggered_buffer kfifo_buf industrialio ir_kbd_i2c rc_core led_class_flash dwc_xlgmac snd_ymfpci gameport snd_mpu401_uart snd_rawmidi snd_ac97_codec snd_pcm ac97_bus snd_opl3_lib snd_timer snd_seq_device snd_hwdep snd soundcore iptable_security iptable_raw iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan + bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel ide_pci_generic piix aesni_intel aes_x86_64 crypto_simd cryptd glue_helper ide_core psmouse input_leds i2c_piix4 serio_raw intel_agp intel_gtt ata_generic agpgart pata_acpi parport_pc rtc_cmos parport floppy sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: rxrpc] +Dumping ftrace buffer: + (ftrace buffer empty) +CR2: fffffbfff830524b +---[ end trace 039ab24b305c4b19 ]--- + +If nr_proto_init failed, it may forget to call proto_unregister, +tiggering this issue.This patch rearrange code of nr_proto_init +to avoid such issues. + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/netrom.h | 2 - + net/netrom/af_netrom.c | 76 +++++++++++++++++++++++++++++------------ + net/netrom/nr_loopback.c | 2 - + net/netrom/nr_route.c | 2 - + net/netrom/sysctl_net_netrom.c | 5 ++ + 5 files changed, 61 insertions(+), 26 deletions(-) + +--- a/include/net/netrom.h ++++ b/include/net/netrom.h +@@ -266,7 +266,7 @@ void nr_stop_idletimer(struct sock *); + int nr_t1timer_running(struct sock *); + + /* sysctl_net_netrom.c */ +-void nr_register_sysctl(void); ++int nr_register_sysctl(void); + void nr_unregister_sysctl(void); + + #endif +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -1392,18 +1392,22 @@ static int __init nr_proto_init(void) + int i; + int rc = proto_register(&nr_proto, 0); + +- if (rc != 0) +- goto out; ++ if (rc) ++ return rc; + + if (nr_ndevs > 0x7fffffff/sizeof(struct net_device *)) { +- printk(KERN_ERR "NET/ROM: nr_proto_init - nr_ndevs parameter to large\n"); +- return -1; ++ pr_err("NET/ROM: %s - nr_ndevs parameter too large\n", ++ __func__); ++ rc = -EINVAL; ++ goto unregister_proto; + } + + dev_nr = kcalloc(nr_ndevs, sizeof(struct net_device *), GFP_KERNEL); +- if (dev_nr == NULL) { +- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to allocate device array\n"); +- return -1; ++ if (!dev_nr) { ++ pr_err("NET/ROM: %s - unable to allocate device array\n", ++ __func__); ++ rc = -ENOMEM; ++ goto unregister_proto; + } + + for (i = 0; i < nr_ndevs; i++) { +@@ -1413,13 +1417,13 @@ static int __init nr_proto_init(void) + sprintf(name, "nr%d", i); + dev = alloc_netdev(0, name, NET_NAME_UNKNOWN, nr_setup); + if (!dev) { +- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to allocate device structure\n"); ++ rc = -ENOMEM; + goto fail; + } + + dev->base_addr = i; +- if (register_netdev(dev)) { +- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to register network device\n"); ++ rc = register_netdev(dev); ++ if (rc) { + free_netdev(dev); + goto fail; + } +@@ -1427,36 +1431,64 @@ static int __init nr_proto_init(void) + dev_nr[i] = dev; + } + +- if (sock_register(&nr_family_ops)) { +- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to register socket family\n"); ++ rc = sock_register(&nr_family_ops); ++ if (rc) + goto fail; +- } + +- register_netdevice_notifier(&nr_dev_notifier); ++ rc = register_netdevice_notifier(&nr_dev_notifier); ++ if (rc) ++ goto out_sock; + + ax25_register_pid(&nr_pid); + ax25_linkfail_register(&nr_linkfail_notifier); + + #ifdef CONFIG_SYSCTL +- nr_register_sysctl(); ++ rc = nr_register_sysctl(); ++ if (rc) ++ goto out_sysctl; + #endif + + nr_loopback_init(); + +- proc_create_seq("nr", 0444, init_net.proc_net, &nr_info_seqops); +- proc_create_seq("nr_neigh", 0444, init_net.proc_net, &nr_neigh_seqops); +- proc_create_seq("nr_nodes", 0444, init_net.proc_net, &nr_node_seqops); +-out: +- return rc; ++ rc = -ENOMEM; ++ if (!proc_create_seq("nr", 0444, init_net.proc_net, &nr_info_seqops)) ++ goto proc_remove1; ++ if (!proc_create_seq("nr_neigh", 0444, init_net.proc_net, ++ &nr_neigh_seqops)) ++ goto proc_remove2; ++ if (!proc_create_seq("nr_nodes", 0444, init_net.proc_net, ++ &nr_node_seqops)) ++ goto proc_remove3; ++ ++ return 0; ++ ++proc_remove3: ++ remove_proc_entry("nr_neigh", init_net.proc_net); ++proc_remove2: ++ remove_proc_entry("nr", init_net.proc_net); ++proc_remove1: ++ ++ nr_loopback_clear(); ++ nr_rt_free(); ++ ++#ifdef CONFIG_SYSCTL ++ nr_unregister_sysctl(); ++out_sysctl: ++#endif ++ ax25_linkfail_release(&nr_linkfail_notifier); ++ ax25_protocol_release(AX25_P_NETROM); ++ unregister_netdevice_notifier(&nr_dev_notifier); ++out_sock: ++ sock_unregister(PF_NETROM); + fail: + while (--i >= 0) { + unregister_netdev(dev_nr[i]); + free_netdev(dev_nr[i]); + } + kfree(dev_nr); ++unregister_proto: + proto_unregister(&nr_proto); +- rc = -1; +- goto out; ++ return rc; + } + + module_init(nr_proto_init); +--- a/net/netrom/nr_loopback.c ++++ b/net/netrom/nr_loopback.c +@@ -70,7 +70,7 @@ static void nr_loopback_timer(struct tim + } + } + +-void __exit nr_loopback_clear(void) ++void nr_loopback_clear(void) + { + del_timer_sync(&loopback_timer); + skb_queue_purge(&loopback_queue); +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -953,7 +953,7 @@ const struct seq_operations nr_neigh_seq + /* + * Free all memory associated with the nodes and routes lists. + */ +-void __exit nr_rt_free(void) ++void nr_rt_free(void) + { + struct nr_neigh *s = NULL; + struct nr_node *t = NULL; +--- a/net/netrom/sysctl_net_netrom.c ++++ b/net/netrom/sysctl_net_netrom.c +@@ -146,9 +146,12 @@ static struct ctl_table nr_table[] = { + { } + }; + +-void __init nr_register_sysctl(void) ++int __init nr_register_sysctl(void) + { + nr_table_header = register_net_sysctl(&init_net, "net/netrom", nr_table); ++ if (!nr_table_header) ++ return -ENOMEM; ++ return 0; + } + + void nr_unregister_sysctl(void) diff --git a/queue-4.19/net-rds-check-address-length-before-reading-address-family.patch b/queue-4.19/net-rds-check-address-length-before-reading-address-family.patch new file mode 100644 index 00000000000..22bc2fba084 --- /dev/null +++ b/queue-4.19/net-rds-check-address-length-before-reading-address-family.patch @@ -0,0 +1,52 @@ +From dd3ac9a684358b8c1d5c432ca8322aaf5e4f28ee Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Fri, 12 Apr 2019 19:51:52 +0900 +Subject: net/rds: Check address length before reading address family + +From: Tetsuo Handa + +commit dd3ac9a684358b8c1d5c432ca8322aaf5e4f28ee upstream. + +syzbot is reporting uninitialized value at rds_connect() [1] and +rds_bind() [2]. This is because syzbot is passing ulen == 0 whereas +these functions expect that it is safe to access sockaddr->family field +in order to determine minimal address length for validation. + +[1] https://syzkaller.appspot.com/bug?id=f4e61c010416c1e6f0fa3ffe247561b60a50ad71 +[2] https://syzkaller.appspot.com/bug?id=a4bf9e41b7e055c3823fdcd83e8c58ca7270e38f + +Reported-by: syzbot +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/rds/af_rds.c | 3 +++ + net/rds/bind.c | 2 ++ + 2 files changed, 5 insertions(+) + +--- a/net/rds/af_rds.c ++++ b/net/rds/af_rds.c +@@ -506,6 +506,9 @@ static int rds_connect(struct socket *so + struct rds_sock *rs = rds_sk_to_rs(sk); + int ret = 0; + ++ if (addr_len < offsetofend(struct sockaddr, sa_family)) ++ return -EINVAL; ++ + lock_sock(sk); + + switch (uaddr->sa_family) { +--- a/net/rds/bind.c ++++ b/net/rds/bind.c +@@ -173,6 +173,8 @@ int rds_bind(struct socket *sock, struct + /* We allow an RDS socket to be bound to either IPv4 or IPv6 + * address. + */ ++ if (addr_len < offsetofend(struct sockaddr, sa_family)) ++ return -EINVAL; + if (uaddr->sa_family == AF_INET) { + struct sockaddr_in *sin = (struct sockaddr_in *)uaddr; + diff --git a/queue-4.19/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch b/queue-4.19/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch new file mode 100644 index 00000000000..073b72076fb --- /dev/null +++ b/queue-4.19/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch @@ -0,0 +1,34 @@ +From 7caa56f006e9d712b44f27b32520c66420d5cbc6 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 15 Apr 2019 00:43:00 +0200 +Subject: netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON + +From: Florian Westphal + +commit 7caa56f006e9d712b44f27b32520c66420d5cbc6 upstream. + +It means userspace gave us a ruleset where there is some other +data after the ebtables target but before the beginning of the next rule. + +Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") +Reported-by: syzbot+659574e7bcc7f7eb4df7@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/netfilter/ebtables.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -2032,7 +2032,8 @@ static int ebt_size_mwt(struct compat_eb + if (match_kern) + match_kern->match_size = ret; + +- if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) ++ /* rule should have no remaining data after target */ ++ if (type == EBT_COMPAT_TARGET && size_left) + return -EINVAL; + + match32 = (struct compat_ebt_entry_mwt *) buf; diff --git a/queue-4.19/nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch b/queue-4.19/nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch new file mode 100644 index 00000000000..62c40928b97 --- /dev/null +++ b/queue-4.19/nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch @@ -0,0 +1,43 @@ +From 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sat, 30 Mar 2019 10:21:07 +0900 +Subject: NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family. + +From: Tetsuo Handa + +commit 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 upstream. + +syzbot is reporting uninitialized value at rpc_sockaddr2uaddr() [1]. This +is because syzbot is setting AF_INET6 to "struct sockaddr_in"->sin_family +(which is embedded into user-visible "struct nfs_mount_data" structure) +despite nfs23_validate_mount_data() cannot pass sizeof(struct sockaddr_in6) +bytes of AF_INET6 address to rpc_sockaddr2uaddr(). + +Since "struct nfs_mount_data" structure is user-visible, we can't change +"struct nfs_mount_data" to use "struct sockaddr_storage". Therefore, +assuming that everybody is using AF_INET family when passing address via +"struct nfs_mount_data"->addr, reject if its sin_family is not AF_INET. + +[1] https://syzkaller.appspot.com/bug?id=599993614e7cbbf66bc2656a919ab2a95fb5d75c + +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -2052,7 +2052,8 @@ static int nfs23_validate_mount_data(voi + memcpy(sap, &data->addr, sizeof(data->addr)); + args->nfs_server.addrlen = sizeof(data->addr); + args->nfs_server.port = ntohs(data->addr.sin_port); +- if (!nfs_verify_server_address(sap)) ++ if (sap->sa_family != AF_INET || ++ !nfs_verify_server_address(sap)) + goto out_no_address; + + if (!(data->flags & NFS_MOUNT_TCP)) diff --git a/queue-4.19/rxrpc-fix-race-condition-in-rxrpc_input_packet.patch b/queue-4.19/rxrpc-fix-race-condition-in-rxrpc_input_packet.patch new file mode 100644 index 00000000000..0d3825609a8 --- /dev/null +++ b/queue-4.19/rxrpc-fix-race-condition-in-rxrpc_input_packet.patch @@ -0,0 +1,147 @@ +From 032be5f19a94de51093851757089133dcc1e92aa Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 24 Apr 2019 09:44:11 -0700 +Subject: rxrpc: fix race condition in rxrpc_input_packet() + +From: Eric Dumazet + +commit 032be5f19a94de51093851757089133dcc1e92aa upstream. + +After commit 5271953cad31 ("rxrpc: Use the UDP encap_rcv hook"), +rxrpc_input_packet() is directly called from lockless UDP receive +path, under rcu_read_lock() protection. + +It must therefore use RCU rules : + +- udp_sk->sk_user_data can be cleared at any point in this function. + rcu_dereference_sk_user_data() is what we need here. + +- Also, since sk_user_data might have been set in rxrpc_open_socket() + we must observe a proper RCU grace period before kfree(local) in + rxrpc_lookup_local() + +v4: @local can be NULL in xrpc_lookup_local() as reported by kbuild test robot + and Julia Lawall , thanks ! + +v3,v2 : addressed David Howells feedback, thanks ! + +syzbot reported : + +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN +CPU: 0 PID: 19236 Comm: syz-executor703 Not tainted 5.1.0-rc6 #79 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:__lock_acquire+0xbef/0x3fb0 kernel/locking/lockdep.c:3573 +Code: 00 0f 85 a5 1f 00 00 48 81 c4 10 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 4a 21 00 00 49 81 7d 00 20 54 9c 89 0f 84 cf f4 +RSP: 0018:ffff88809d7aef58 EFLAGS: 00010002 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000026 RSI: 0000000000000000 RDI: 0000000000000001 +RBP: ffff88809d7af090 R08: 0000000000000001 R09: 0000000000000001 +R10: ffffed1015d05bc7 R11: ffff888089428600 R12: 0000000000000000 +R13: 0000000000000130 R14: 0000000000000001 R15: 0000000000000001 +FS: 00007f059044d700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000004b6040 CR3: 00000000955ca000 CR4: 00000000001406f0 +Call Trace: + lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4211 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:152 + skb_queue_tail+0x26/0x150 net/core/skbuff.c:2972 + rxrpc_reject_packet net/rxrpc/input.c:1126 [inline] + rxrpc_input_packet+0x4a0/0x5536 net/rxrpc/input.c:1414 + udp_queue_rcv_one_skb+0xaf2/0x1780 net/ipv4/udp.c:2011 + udp_queue_rcv_skb+0x128/0x730 net/ipv4/udp.c:2085 + udp_unicast_rcv_skb.isra.0+0xb9/0x360 net/ipv4/udp.c:2245 + __udp4_lib_rcv+0x701/0x2ca0 net/ipv4/udp.c:2301 + udp_rcv+0x22/0x30 net/ipv4/udp.c:2482 + ip_protocol_deliver_rcu+0x60/0x8f0 net/ipv4/ip_input.c:208 + ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234 + NF_HOOK include/linux/netfilter.h:289 [inline] + NF_HOOK include/linux/netfilter.h:283 [inline] + ip_local_deliver+0x1e9/0x520 net/ipv4/ip_input.c:255 + dst_input include/net/dst.h:450 [inline] + ip_rcv_finish+0x1e1/0x300 net/ipv4/ip_input.c:413 + NF_HOOK include/linux/netfilter.h:289 [inline] + NF_HOOK include/linux/netfilter.h:283 [inline] + ip_rcv+0xe8/0x3f0 net/ipv4/ip_input.c:523 + __netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4987 + __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5099 + netif_receive_skb_internal+0x117/0x660 net/core/dev.c:5202 + napi_frags_finish net/core/dev.c:5769 [inline] + napi_gro_frags+0xade/0xd10 net/core/dev.c:5843 + tun_get_user+0x2f24/0x3fb0 drivers/net/tun.c:1981 + tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2027 + call_write_iter include/linux/fs.h:1866 [inline] + do_iter_readv_writev+0x5e1/0x8e0 fs/read_write.c:681 + do_iter_write fs/read_write.c:957 [inline] + do_iter_write+0x184/0x610 fs/read_write.c:938 + vfs_writev+0x1b3/0x2f0 fs/read_write.c:1002 + do_writev+0x15e/0x370 fs/read_write.c:1037 + __do_sys_writev fs/read_write.c:1110 [inline] + __se_sys_writev fs/read_write.c:1107 [inline] + __x64_sys_writev+0x75/0xb0 fs/read_write.c:1107 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: 5271953cad31 ("rxrpc: Use the UDP encap_rcv hook") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Acked-by: David Howells +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/rxrpc/input.c | 12 ++++++++---- + net/rxrpc/local_object.c | 3 ++- + 2 files changed, 10 insertions(+), 5 deletions(-) + +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -1155,19 +1155,19 @@ int rxrpc_extract_header(struct rxrpc_sk + * handle data received on the local endpoint + * - may be called in interrupt context + * +- * The socket is locked by the caller and this prevents the socket from being +- * shut down and the local endpoint from going away, thus sk_user_data will not +- * be cleared until this function returns. ++ * [!] Note that as this is called from the encap_rcv hook, the socket is not ++ * held locked by the caller and nothing prevents sk_user_data on the UDP from ++ * being cleared in the middle of processing this function. + * + * Called with the RCU read lock held from the IP layer via UDP. + */ + int rxrpc_input_packet(struct sock *udp_sk, struct sk_buff *skb) + { ++ struct rxrpc_local *local = rcu_dereference_sk_user_data(udp_sk); + struct rxrpc_connection *conn; + struct rxrpc_channel *chan; + struct rxrpc_call *call = NULL; + struct rxrpc_skb_priv *sp; +- struct rxrpc_local *local = udp_sk->sk_user_data; + struct rxrpc_peer *peer = NULL; + struct rxrpc_sock *rx = NULL; + unsigned int channel; +@@ -1175,6 +1175,10 @@ int rxrpc_input_packet(struct sock *udp_ + + _enter("%p", udp_sk); + ++ if (unlikely(!local)) { ++ kfree_skb(skb); ++ return 0; ++ } + if (skb->tstamp == 0) + skb->tstamp = ktime_get_real(); + +--- a/net/rxrpc/local_object.c ++++ b/net/rxrpc/local_object.c +@@ -304,7 +304,8 @@ nomem: + ret = -ENOMEM; + sock_error: + mutex_unlock(&rxnet->local_mutex); +- kfree(local); ++ if (local) ++ call_rcu(&local->rcu, rxrpc_local_rcu); + _leave(" = %d", ret); + return ERR_PTR(ret); + diff --git a/queue-4.19/sched-deadline-correctly-handle-active-0-lag-timers.patch b/queue-4.19/sched-deadline-correctly-handle-active-0-lag-timers.patch new file mode 100644 index 00000000000..6487c9402cb --- /dev/null +++ b/queue-4.19/sched-deadline-correctly-handle-active-0-lag-timers.patch @@ -0,0 +1,64 @@ +From 1b02cd6a2d7f3e2a6a5262887d2cb2912083e42f Mon Sep 17 00:00:00 2001 +From: luca abeni +Date: Mon, 25 Mar 2019 14:15:30 +0100 +Subject: sched/deadline: Correctly handle active 0-lag timers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: luca abeni + +commit 1b02cd6a2d7f3e2a6a5262887d2cb2912083e42f upstream. + +syzbot reported the following warning: + + [ ] WARNING: CPU: 4 PID: 17089 at kernel/sched/deadline.c:255 task_non_contending+0xae0/0x1950 + +line 255 of deadline.c is: + + WARN_ON(hrtimer_active(&dl_se->inactive_timer)); + +in task_non_contending(). + +Unfortunately, in some cases (for example, a deadline task +continuosly blocking and waking immediately) it can happen that +a task blocks (and task_non_contending() is called) while the +0-lag timer is still active. + +In this case, the safest thing to do is to immediately decrease +the running bandwidth of the task, without trying to re-arm the 0-lag timer. + +Signed-off-by: luca abeni +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Juri Lelli +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: chengjian (D) +Link: https://lkml.kernel.org/r/20190325131530.34706-1-luca.abeni@santannapisa.it +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/deadline.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -252,7 +252,6 @@ static void task_non_contending(struct t + if (dl_entity_is_special(dl_se)) + return; + +- WARN_ON(hrtimer_active(&dl_se->inactive_timer)); + WARN_ON(dl_se->dl_non_contending); + + zerolag_time = dl_se->deadline - +@@ -269,7 +268,7 @@ static void task_non_contending(struct t + * If the "0-lag time" already passed, decrease the active + * utilization now, instead of starting a timer + */ +- if (zerolag_time < 0) { ++ if ((zerolag_time < 0) || hrtimer_active(&dl_se->inactive_timer)) { + if (dl_task(p)) + sub_running_bw(dl_se, dl_rq); + if (!dl_task(p) || p->state == TASK_DEAD) { diff --git a/queue-4.19/series b/queue-4.19/series index abe7df95a31..bfbc02c8cf3 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -49,3 +49,17 @@ revert-drm-i915-fbdev-actually-configure-untiled-displays.patch drm-vc4-fix-compilation-error-reported-by-kbuild-test-bot.patch usb-add-new-usb-lpm-helpers.patch usb-consolidate-lpm-checks-to-avoid-enabling-lpm-twice.patch +slip-make-slhc_free-silently-accept-an-error-pointer.patch +intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch +fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch +workqueue-try-to-catch-flush_work-without-init_work.patch +binder-fix-handling-of-misaligned-binder-object.patch +sched-deadline-correctly-handle-active-0-lag-timers.patch +nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch +netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch +fm10k-fix-a-potential-null-pointer-dereference.patch +tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch +tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch +net-netrom-fix-error-cleanup-path-of-nr_proto_init.patch +net-rds-check-address-length-before-reading-address-family.patch +rxrpc-fix-race-condition-in-rxrpc_input_packet.patch diff --git a/queue-4.19/slip-make-slhc_free-silently-accept-an-error-pointer.patch b/queue-4.19/slip-make-slhc_free-silently-accept-an-error-pointer.patch new file mode 100644 index 00000000000..c52a7c0a0bc --- /dev/null +++ b/queue-4.19/slip-make-slhc_free-silently-accept-an-error-pointer.patch @@ -0,0 +1,48 @@ +From baf76f0c58aec435a3a864075b8f6d8ee5d1f17e Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 25 Apr 2019 16:13:58 -0700 +Subject: slip: make slhc_free() silently accept an error pointer + +From: Linus Torvalds + +commit baf76f0c58aec435a3a864075b8f6d8ee5d1f17e upstream. + +This way, slhc_free() accepts what slhc_init() returns, whether that is +an error or not. + +In particular, the pattern in sl_alloc_bufs() is + + slcomp = slhc_init(16, 16); + ... + slhc_free(slcomp); + +for the error handling path, and rather than complicate that code, just +make it ok to always free what was returned by the init function. + +That's what the code used to do before commit 4ab42d78e37a ("ppp, slip: +Validate VJ compression slot parameters completely") when slhc_init() +just returned NULL for the error case, with no actual indication of the +details of the error. + +Reported-by: syzbot+45474c076a4927533d2e@syzkaller.appspotmail.com +Fixes: 4ab42d78e37a ("ppp, slip: Validate VJ compression slot parameters completely") +Acked-by: Ben Hutchings +Cc: David Miller +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/slip/slhc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -153,7 +153,7 @@ out_fail: + void + slhc_free(struct slcompress *comp) + { +- if ( comp == NULLSLCOMPR ) ++ if ( IS_ERR_OR_NULL(comp) ) + return; + + if ( comp->tstate != NULLSLSTATE ) diff --git a/queue-4.19/tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch b/queue-4.19/tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch new file mode 100644 index 00000000000..51e94f99c34 --- /dev/null +++ b/queue-4.19/tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch @@ -0,0 +1,69 @@ +From 6f07e5f06c8712acc423485f657799fc8e11e56c Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sun, 31 Mar 2019 22:50:08 +0800 +Subject: tipc: check bearer name with right length in tipc_nl_compat_bearer_enable + +From: Xin Long + +commit 6f07e5f06c8712acc423485f657799fc8e11e56c upstream. + +Syzbot reported the following crash: + +BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:961 + memchr+0xce/0x110 lib/string.c:961 + string_is_valid net/tipc/netlink_compat.c:176 [inline] + tipc_nl_compat_bearer_enable+0x2c4/0x910 net/tipc/netlink_compat.c:401 + __tipc_nl_compat_doit net/tipc/netlink_compat.c:321 [inline] + tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:354 + tipc_nl_compat_handle net/tipc/netlink_compat.c:1162 [inline] + tipc_nl_compat_recv+0x1ae7/0x2750 net/tipc/netlink_compat.c:1265 + genl_family_rcv_msg net/netlink/genetlink.c:601 [inline] + genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626 + netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477 + genl_rcv+0x63/0x80 net/netlink/genetlink.c:637 + netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] + netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336 + netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:622 [inline] + sock_sendmsg net/socket.c:632 [inline] + +Uninit was created at: + __alloc_skb+0x309/0xa20 net/core/skbuff.c:208 + alloc_skb include/linux/skbuff.h:1012 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] + netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:622 [inline] + sock_sendmsg net/socket.c:632 [inline] + +It was triggered when the bearer name size < TIPC_MAX_BEARER_NAME, +it would check with a wrong len/TLV_GET_DATA_LEN(msg->req), which +also includes priority and disc_domain length. + +This patch is to fix it by checking it with a right length: +'TLV_GET_DATA_LEN(msg->req) - offsetof(struct tipc_bearer_config, name)'. + +Reported-by: syzbot+8b707430713eb46e1e45@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/netlink_compat.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -403,7 +403,12 @@ static int tipc_nl_compat_bearer_enable( + if (!bearer) + return -EMSGSIZE; + +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); ++ len = TLV_GET_DATA_LEN(msg->req); ++ len -= offsetof(struct tipc_bearer_config, name); ++ if (len <= 0) ++ return -EINVAL; ++ ++ len = min_t(int, len, TIPC_MAX_BEARER_NAME); + if (!string_is_valid(b->name, len)) + return -EINVAL; + diff --git a/queue-4.19/tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch b/queue-4.19/tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch new file mode 100644 index 00000000000..bfa23ed6af2 --- /dev/null +++ b/queue-4.19/tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch @@ -0,0 +1,41 @@ +From 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sun, 31 Mar 2019 22:50:09 +0800 +Subject: tipc: check link name with right length in tipc_nl_compat_link_set + +From: Xin Long + +commit 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a upstream. + +A similar issue as fixed by Patch "tipc: check bearer name with right +length in tipc_nl_compat_bearer_enable" was also found by syzbot in +tipc_nl_compat_link_set(). + +The length to check with should be 'TLV_GET_DATA_LEN(msg->req) - +offsetof(struct tipc_link_config, name)'. + +Reported-by: syzbot+de00a87b8644a582ae79@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/netlink_compat.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -777,7 +777,12 @@ static int tipc_nl_compat_link_set(struc + + lc = (struct tipc_link_config *)TLV_DATA(msg->req); + +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); ++ len = TLV_GET_DATA_LEN(msg->req); ++ len -= offsetof(struct tipc_link_config, name); ++ if (len <= 0) ++ return -EINVAL; ++ ++ len = min_t(int, len, TIPC_MAX_LINK_NAME); + if (!string_is_valid(lc->name, len)) + return -EINVAL; + diff --git a/queue-4.19/workqueue-try-to-catch-flush_work-without-init_work.patch b/queue-4.19/workqueue-try-to-catch-flush_work-without-init_work.patch new file mode 100644 index 00000000000..a9bfd895005 --- /dev/null +++ b/queue-4.19/workqueue-try-to-catch-flush_work-without-init_work.patch @@ -0,0 +1,43 @@ +From 4d43d395fed124631ca02356c711facb90185175 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Wed, 23 Jan 2019 09:44:12 +0900 +Subject: workqueue: Try to catch flush_work() without INIT_WORK(). + +From: Tetsuo Handa + +commit 4d43d395fed124631ca02356c711facb90185175 upstream. + +syzbot found a flush_work() caller who forgot to call INIT_WORK() +because that work_struct was allocated by kzalloc() [1]. But the message + + INFO: trying to register non-static key. + the code is fine but needs lockdep annotation. + turning off the locking correctness validator. + +by lock_map_acquire() is failing to tell that INIT_WORK() is missing. + +Since flush_work() without INIT_WORK() is a bug, and INIT_WORK() should +set ->func field to non-zero, let's warn if ->func field is zero. + +[1] https://syzkaller.appspot.com/bug?id=a5954455fcfa51c29ca2ab55b203076337e1c770 + +Signed-off-by: Tetsuo Handa +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/workqueue.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -2908,6 +2908,9 @@ static bool __flush_work(struct work_str + if (WARN_ON(!wq_online)) + return false; + ++ if (WARN_ON(!work->func)) ++ return false; ++ + if (!from_cancel) { + lock_map_acquire(&work->lockdep_map); + lock_map_release(&work->lockdep_map);