From: Greg Kroah-Hartman Date: Mon, 9 Dec 2019 18:46:58 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v5.4.3~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c4d93bfeadd091f35f9a724b5a1691393926e66a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: can-slcan-fix-use-after-free-read-in-slcan_open.patch cifs-fix-null-pointer-dereference-in-smb2_push_mandatory_locks.patch cifs-fix-smb2-oplock-break-processing.patch jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch tty-vt-keyboard-reject-invalid-keycodes.patch x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch --- diff --git a/queue-4.9/can-slcan-fix-use-after-free-read-in-slcan_open.patch b/queue-4.9/can-slcan-fix-use-after-free-read-in-slcan_open.patch new file mode 100644 index 00000000000..388375bd857 --- /dev/null +++ b/queue-4.9/can-slcan-fix-use-after-free-read-in-slcan_open.patch @@ -0,0 +1,65 @@ +From 9ebd796e24008f33f06ebea5a5e6aceb68b51794 Mon Sep 17 00:00:00 2001 +From: Jouni Hogander +Date: Wed, 27 Nov 2019 08:40:26 +0200 +Subject: can: slcan: Fix use-after-free Read in slcan_open + +From: Jouni Hogander + +commit 9ebd796e24008f33f06ebea5a5e6aceb68b51794 upstream. + +Slcan_open doesn't clean-up device which registration failed from the +slcan_devs device list. On next open this list is iterated and freed +device is accessed. Fix this by calling slc_free_netdev in error path. + +Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was +identified in slip_open by syzboz. Same bug is in slcan.c. Here is the +trace from the Syzbot slip report: + +__dump_stack lib/dump_stack.c:77 [inline] +dump_stack+0x197/0x210 lib/dump_stack.c:118 +print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 +__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 +kasan_report+0x12/0x20 mm/kasan/common.c:634 +__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 +sl_sync drivers/net/slip/slip.c:725 [inline] +slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801 +tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469 +tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596 +tiocsetd drivers/tty/tty_io.c:2334 [inline] +tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594 +vfs_ioctl fs/ioctl.c:46 [inline] +file_ioctl fs/ioctl.c:509 [inline] +do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696 +ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 +__do_sys_ioctl fs/ioctl.c:720 [inline] +__se_sys_ioctl fs/ioctl.c:718 [inline] +__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 +do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 +entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path") +Cc: Wolfgang Grandegger +Cc: Marc Kleine-Budde +Cc: David Miller +Cc: Oliver Hartkopp +Cc: Lukas Bulwahn +Signed-off-by: Jouni Hogander +Cc: linux-stable # >= v5.4 +Acked-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/slcan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/can/slcan.c ++++ b/drivers/net/can/slcan.c +@@ -613,6 +613,7 @@ err_free_chan: + sl->tty = NULL; + tty->disc_data = NULL; + clear_bit(SLF_INUSE, &sl->flags); ++ slc_free_netdev(sl->dev); + free_netdev(sl->dev); + + err_exit: diff --git a/queue-4.9/cifs-fix-null-pointer-dereference-in-smb2_push_mandatory_locks.patch b/queue-4.9/cifs-fix-null-pointer-dereference-in-smb2_push_mandatory_locks.patch new file mode 100644 index 00000000000..71b393ae7f3 --- /dev/null +++ b/queue-4.9/cifs-fix-null-pointer-dereference-in-smb2_push_mandatory_locks.patch @@ -0,0 +1,72 @@ +From 6f582b273ec23332074d970a7fb25bef835df71f Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Wed, 27 Nov 2019 16:18:39 -0800 +Subject: CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks + +From: Pavel Shilovsky + +commit 6f582b273ec23332074d970a7fb25bef835df71f upstream. + +Currently when the client creates a cifsFileInfo structure for +a newly opened file, it allocates a list of byte-range locks +with a pointer to the new cfile and attaches this list to the +inode's lock list. The latter happens before initializing all +other fields, e.g. cfile->tlink. Thus a partially initialized +cifsFileInfo structure becomes available to other threads that +walk through the inode's lock list. One example of such a thread +may be an oplock break worker thread that tries to push all +cached byte-range locks. This causes NULL-pointer dereference +in smb2_push_mandatory_locks() when accessing cfile->tlink: + +[598428.945633] BUG: kernel NULL pointer dereference, address: 0000000000000038 +... +[598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs] +[598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs] +... +[598428.945834] Call Trace: +[598428.945870] ? cifs_revalidate_mapping+0x45/0x90 [cifs] +[598428.945901] cifs_oplock_break+0x13d/0x450 [cifs] +[598428.945909] process_one_work+0x1db/0x380 +[598428.945914] worker_thread+0x4d/0x400 +[598428.945921] kthread+0x104/0x140 +[598428.945925] ? process_one_work+0x380/0x380 +[598428.945931] ? kthread_park+0x80/0x80 +[598428.945937] ret_from_fork+0x35/0x40 + +Fix this by reordering initialization steps of the cifsFileInfo +structure: initialize all the fields first and then add the new +byte-range lock list to the inode's lock list. + +Cc: Stable +Signed-off-by: Pavel Shilovsky +Reviewed-by: Aurelien Aptel +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/file.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -312,9 +312,6 @@ cifs_new_fileinfo(struct cifs_fid *fid, + INIT_LIST_HEAD(&fdlocks->locks); + fdlocks->cfile = cfile; + cfile->llist = fdlocks; +- cifs_down_write(&cinode->lock_sem); +- list_add(&fdlocks->llist, &cinode->llist); +- up_write(&cinode->lock_sem); + + cfile->count = 1; + cfile->pid = current->tgid; +@@ -338,6 +335,10 @@ cifs_new_fileinfo(struct cifs_fid *fid, + oplock = 0; + } + ++ cifs_down_write(&cinode->lock_sem); ++ list_add(&fdlocks->llist, &cinode->llist); ++ up_write(&cinode->lock_sem); ++ + spin_lock(&tcon->open_file_lock); + if (fid->pending_open->oplock != CIFS_OPLOCK_NO_CHANGE && oplock) + oplock = fid->pending_open->oplock; diff --git a/queue-4.9/cifs-fix-smb2-oplock-break-processing.patch b/queue-4.9/cifs-fix-smb2-oplock-break-processing.patch new file mode 100644 index 00000000000..95c8e244d49 --- /dev/null +++ b/queue-4.9/cifs-fix-smb2-oplock-break-processing.patch @@ -0,0 +1,67 @@ +From fa9c2362497fbd64788063288dc4e74daf977ebb Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Thu, 31 Oct 2019 14:18:57 -0700 +Subject: CIFS: Fix SMB2 oplock break processing + +From: Pavel Shilovsky + +commit fa9c2362497fbd64788063288dc4e74daf977ebb upstream. + +Even when mounting modern protocol version the server may be +configured without supporting SMB2.1 leases and the client +uses SMB2 oplock to optimize IO performance through local caching. + +However there is a problem in oplock break handling that leads +to missing a break notification on the client who has a file +opened. It latter causes big latencies to other clients that +are trying to open the same file. + +The problem reproduces when there are multiple shares from the +same server mounted on the client. The processing code tries to +match persistent and volatile file ids from the break notification +with an open file but it skips all share besides the first one. +Fix this by looking up in all shares belonging to the server that +issued the oplock break. + +Cc: Stable +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2misc.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -617,10 +617,10 @@ smb2_is_valid_oplock_break(char *buffer, + spin_lock(&cifs_tcp_ses_lock); + list_for_each(tmp, &server->smb_ses_list) { + ses = list_entry(tmp, struct cifs_ses, smb_ses_list); ++ + list_for_each(tmp1, &ses->tcon_list) { + tcon = list_entry(tmp1, struct cifs_tcon, tcon_list); + +- cifs_stats_inc(&tcon->stats.cifs_stats.num_oplock_brks); + spin_lock(&tcon->open_file_lock); + list_for_each(tmp2, &tcon->openFileList) { + cfile = list_entry(tmp2, struct cifsFileInfo, +@@ -632,6 +632,8 @@ smb2_is_valid_oplock_break(char *buffer, + continue; + + cifs_dbg(FYI, "file id match, oplock break\n"); ++ cifs_stats_inc( ++ &tcon->stats.cifs_stats.num_oplock_brks); + cinode = CIFS_I(d_inode(cfile->dentry)); + spin_lock(&cfile->file_info_lock); + if (!CIFS_CACHE_WRITE(cinode) && +@@ -664,9 +666,6 @@ smb2_is_valid_oplock_break(char *buffer, + return true; + } + spin_unlock(&tcon->open_file_lock); +- spin_unlock(&cifs_tcp_ses_lock); +- cifs_dbg(FYI, "No matching file for oplock break\n"); +- return true; + } + } + spin_unlock(&cifs_tcp_ses_lock); diff --git a/queue-4.9/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch b/queue-4.9/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch new file mode 100644 index 00000000000..ff1572cd943 --- /dev/null +++ b/queue-4.9/jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch @@ -0,0 +1,49 @@ +From add3efdd78b8a0478ce423bb9d4df6bd95e8b335 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 5 Nov 2019 17:44:07 +0100 +Subject: jbd2: Fix possible overflow in jbd2_log_space_left() + +From: Jan Kara + +commit add3efdd78b8a0478ce423bb9d4df6bd95e8b335 upstream. + +When number of free space in the journal is very low, the arithmetic in +jbd2_log_space_left() could underflow resulting in very high number of +free blocks and thus triggering assertion failure in transaction commit +code complaining there's not enough space in the journal: + +J_ASSERT(journal->j_free > 1); + +Properly check for the low number of free blocks. + +CC: stable@vger.kernel.org +Reviewed-by: Theodore Ts'o +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20191105164437.32602-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/jbd2.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/jbd2.h ++++ b/include/linux/jbd2.h +@@ -1560,7 +1560,7 @@ static inline int jbd2_space_needed(jour + static inline unsigned long jbd2_log_space_left(journal_t *journal) + { + /* Allow for rounding errors */ +- unsigned long free = journal->j_free - 32; ++ long free = journal->j_free - 32; + + if (journal->j_committing_transaction) { + unsigned long committing = atomic_read(&journal-> +@@ -1569,7 +1569,7 @@ static inline unsigned long jbd2_log_spa + /* Transaction + control blocks */ + free -= committing + (committing >> JBD2_CONTROL_BLOCKS_SHIFT); + } +- return free; ++ return max_t(long, free, 0); + } + + /* diff --git a/queue-4.9/series b/queue-4.9/series index b32ccb38d66..724ec506d6a 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -74,3 +74,9 @@ fuse-verify-attributes.patch alsa-pcm-oss-avoid-potential-buffer-overflows.patch input-goodix-add-upside-down-quirk-for-teclast-x89-tablet.patch coresight-etm4x-fix-input-validation-for-sysfs.patch +x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch +cifs-fix-null-pointer-dereference-in-smb2_push_mandatory_locks.patch +cifs-fix-smb2-oplock-break-processing.patch +tty-vt-keyboard-reject-invalid-keycodes.patch +can-slcan-fix-use-after-free-read-in-slcan_open.patch +jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch diff --git a/queue-4.9/tty-vt-keyboard-reject-invalid-keycodes.patch b/queue-4.9/tty-vt-keyboard-reject-invalid-keycodes.patch new file mode 100644 index 00000000000..a215c79cb3d --- /dev/null +++ b/queue-4.9/tty-vt-keyboard-reject-invalid-keycodes.patch @@ -0,0 +1,52 @@ +From b2b2dd71e0859436d4e05b2f61f86140250ed3f8 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Fri, 22 Nov 2019 12:42:20 -0800 +Subject: tty: vt: keyboard: reject invalid keycodes + +From: Dmitry Torokhov + +commit b2b2dd71e0859436d4e05b2f61f86140250ed3f8 upstream. + +Do not try to handle keycodes that are too big, otherwise we risk doing +out-of-bounds writes: + +BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline] +BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] +BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 +Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722 +... + kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] + kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 + input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118 + input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145 + input_pass_values drivers/input/input.c:949 [inline] + input_set_keycode+0x290/0x320 drivers/input/input.c:954 + evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882 + evdev_do_ioctl drivers/input/evdev.c:1150 [inline] + +In this case we were dealing with a fuzzed HID device that declared over +12K buttons, and while HID layer should not be reporting to us such big +keycodes, we should also be defensive and reject invalid data ourselves as +well. + +Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com +Signed-off-by: Dmitry Torokhov +Cc: stable +Link: https://lore.kernel.org/r/20191122204220.GA129459@dtor-ws +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/keyboard.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/vt/keyboard.c ++++ b/drivers/tty/vt/keyboard.c +@@ -1460,7 +1460,7 @@ static void kbd_event(struct input_handl + + if (event_type == EV_MSC && event_code == MSC_RAW && HW_RAW(handle->dev)) + kbd_rawcode(value); +- if (event_type == EV_KEY) ++ if (event_type == EV_KEY && event_code <= KEY_MAX) + kbd_keycode(event_code, value, HW_RAW(handle->dev)); + + spin_unlock(&kbd_event_lock); diff --git a/queue-4.9/x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch b/queue-4.9/x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch new file mode 100644 index 00000000000..6faf136ff3c --- /dev/null +++ b/queue-4.9/x86-pci-avoid-amd-fch-xhci-usb-pme-from-d0-defect.patch @@ -0,0 +1,53 @@ +From 7e8ce0e2b036dbc6617184317983aea4f2c52099 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Mon, 2 Sep 2019 22:52:52 +0800 +Subject: x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect + +From: Kai-Heng Feng + +commit 7e8ce0e2b036dbc6617184317983aea4f2c52099 upstream. + +The AMD FCH USB XHCI Controller advertises support for generating PME# +while in D0. When in D0, it does signal PME# for USB 3.0 connect events, +but not for USB 2.0 or USB 1.1 connect events, which means the controller +doesn't wake correctly for those events. + + 00:10.0 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] FCH USB XHCI Controller [1022:7914] (rev 20) (prog-if 30 [XHCI]) + Subsystem: Dell FCH USB XHCI Controller [1028:087e] + Capabilities: [50] Power Management version 3 + Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+) + +Clear PCI_PM_CAP_PME_D0 in dev->pme_support to indicate the device will not +assert PME# from D0 so we don't rely on it. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203673 +Link: https://lore.kernel.org/r/20190902145252.32111-1-kai.heng.feng@canonical.com +Signed-off-by: Kai-Heng Feng +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/pci/fixup.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/x86/pci/fixup.c ++++ b/arch/x86/pci/fixup.c +@@ -573,6 +573,17 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_IN + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fc0, pci_invalid_bar); + + /* ++ * Device [1022:7914] ++ * When in D0, PME# doesn't get asserted when plugging USB 2.0 device. ++ */ ++static void pci_fixup_amd_fch_xhci_pme(struct pci_dev *dev) ++{ ++ dev_info(&dev->dev, "PME# does not work under D0, disabling it\n"); ++ dev->pme_support &= ~(PCI_PM_CAP_PME_D0 >> PCI_PM_CAP_PME_SHIFT); ++} ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x7914, pci_fixup_amd_fch_xhci_pme); ++ ++/* + * Apple MacBook Pro: Avoid [mem 0x7fa00000-0x7fbfffff] + * + * Using the [mem 0x7fa00000-0x7fbfffff] region, e.g., by assigning it to