From: Greg Kroah-Hartman Date: Tue, 8 Sep 2020 15:13:02 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.14.197~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cd8fc3b6aab5ac8749f1803dd06cf820339f8b2c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: cfg80211-regulatory-reject-invalid-hints.patch checkpatch-fix-the-usage-of-capture-group.patch mm-hugetlb-fix-a-race-between-hugetlb-sysctl-handlers.patch net-usb-fix-uninit-was-stored-issue-in-asix_read_phy_addr.patch --- diff --git a/queue-4.19/cfg80211-regulatory-reject-invalid-hints.patch b/queue-4.19/cfg80211-regulatory-reject-invalid-hints.patch new file mode 100644 index 00000000000..50e9b7c54bf --- /dev/null +++ b/queue-4.19/cfg80211-regulatory-reject-invalid-hints.patch @@ -0,0 +1,34 @@ +From 47caf685a6854593348f216e0b489b71c10cbe03 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 19 Aug 2020 10:46:48 +0200 +Subject: cfg80211: regulatory: reject invalid hints + +From: Johannes Berg + +commit 47caf685a6854593348f216e0b489b71c10cbe03 upstream. + +Reject invalid hints early in order to not cause a kernel +WARN later if they're restored to or similar. + +Reported-by: syzbot+d451401ffd00a60677ee@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=d451401ffd00a60677ee +Link: https://lore.kernel.org/r/20200819084648.13956-1-johannes@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/reg.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2936,6 +2936,9 @@ int regulatory_hint_user(const char *alp + if (WARN_ON(!alpha2)) + return -EINVAL; + ++ if (!is_world_regdom(alpha2) && !is_an_alpha2(alpha2)) ++ return -EINVAL; ++ + request = kzalloc(sizeof(struct regulatory_request), GFP_KERNEL); + if (!request) + return -ENOMEM; diff --git a/queue-4.19/checkpatch-fix-the-usage-of-capture-group.patch b/queue-4.19/checkpatch-fix-the-usage-of-capture-group.patch new file mode 100644 index 00000000000..8e73c06a09c --- /dev/null +++ b/queue-4.19/checkpatch-fix-the-usage-of-capture-group.patch @@ -0,0 +1,58 @@ +From 13e45417cedbfc44b1926124b1846f5ee8c6ba4a Mon Sep 17 00:00:00 2001 +From: Mrinal Pandey +Date: Fri, 4 Sep 2020 16:35:52 -0700 +Subject: checkpatch: fix the usage of capture group ( ... ) + +From: Mrinal Pandey + +commit 13e45417cedbfc44b1926124b1846f5ee8c6ba4a upstream. + +The usage of "capture group (...)" in the immediate condition after `&&` +results in `$1` being uninitialized. This issues a warning "Use of +uninitialized value $1 in regexp compilation at ./scripts/checkpatch.pl +line 2638". + +I noticed this bug while running checkpatch on the set of commits from +v5.7 to v5.8-rc1 of the kernel on the commits with a diff content in +their commit message. + +This bug was introduced in the script by commit e518e9a59ec3 +("checkpatch: emit an error when there's a diff in a changelog"). It +has been in the script since then. + +The author intended to store the match made by capture group in variable +`$1`. This should have contained the name of the file as `[\w/]+` +matched. However, this couldn't be accomplished due to usage of capture +group and `$1` in the same regular expression. + +Fix this by placing the capture group in the condition before `&&`. +Thus, `$1` can be initialized to the text that capture group matches +thereby setting it to the desired and required value. + +Fixes: e518e9a59ec3 ("checkpatch: emit an error when there's a diff in a changelog") +Signed-off-by: Mrinal Pandey +Signed-off-by: Andrew Morton +Tested-by: Lukas Bulwahn +Reviewed-by: Lukas Bulwahn +Cc: Joe Perches +Link: https://lkml.kernel.org/r/20200714032352.f476hanaj2dlmiot@mrinalpandey +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/checkpatch.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/scripts/checkpatch.pl ++++ b/scripts/checkpatch.pl +@@ -2541,8 +2541,8 @@ sub process { + + # Check if the commit log has what seems like a diff which can confuse patch + if ($in_commit_log && !$commit_log_has_diff && +- (($line =~ m@^\s+diff\b.*a/[\w/]+@ && +- $line =~ m@^\s+diff\b.*a/([\w/]+)\s+b/$1\b@) || ++ (($line =~ m@^\s+diff\b.*a/([\w/]+)@ && ++ $line =~ m@^\s+diff\b.*a/[\w/]+\s+b/$1\b@) || + $line =~ m@^\s*(?:\-\-\-\s+a/|\+\+\+\s+b/)@ || + $line =~ m/^\s*\@\@ \-\d+,\d+ \+\d+,\d+ \@\@/)) { + ERROR("DIFF_IN_COMMIT_MSG", diff --git a/queue-4.19/mm-hugetlb-fix-a-race-between-hugetlb-sysctl-handlers.patch b/queue-4.19/mm-hugetlb-fix-a-race-between-hugetlb-sysctl-handlers.patch new file mode 100644 index 00000000000..3be347bacda --- /dev/null +++ b/queue-4.19/mm-hugetlb-fix-a-race-between-hugetlb-sysctl-handlers.patch @@ -0,0 +1,119 @@ +From 17743798d81238ab13050e8e2833699b54e15467 Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Fri, 4 Sep 2020 16:36:13 -0700 +Subject: mm/hugetlb: fix a race between hugetlb sysctl handlers + +From: Muchun Song + +commit 17743798d81238ab13050e8e2833699b54e15467 upstream. + +There is a race between the assignment of `table->data` and write value +to the pointer of `table->data` in the __do_proc_doulongvec_minmax() on +the other thread. + + CPU0: CPU1: + proc_sys_write + hugetlb_sysctl_handler proc_sys_call_handler + hugetlb_sysctl_handler_common hugetlb_sysctl_handler + table->data = &tmp; hugetlb_sysctl_handler_common + table->data = &tmp; + proc_doulongvec_minmax + do_proc_doulongvec_minmax sysctl_head_finish + __do_proc_doulongvec_minmax unuse_table + i = table->data; + *i = val; // corrupt CPU1's stack + +Fix this by duplicating the `table`, and only update the duplicate of +it. And introduce a helper of proc_hugetlb_doulongvec_minmax() to +simplify the code. + +The following oops was seen: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor instruction fetch in kernel mode + #PF: error_code(0x0010) - not-present page + Code: Bad RIP value. + ... + Call Trace: + ? set_max_huge_pages+0x3da/0x4f0 + ? alloc_pool_huge_page+0x150/0x150 + ? proc_doulongvec_minmax+0x46/0x60 + ? hugetlb_sysctl_handler_common+0x1c7/0x200 + ? nr_hugepages_store+0x20/0x20 + ? copy_fd_bitmaps+0x170/0x170 + ? hugetlb_sysctl_handler+0x1e/0x20 + ? proc_sys_call_handler+0x2f1/0x300 + ? unregister_sysctl_table+0xb0/0xb0 + ? __fd_install+0x78/0x100 + ? proc_sys_write+0x14/0x20 + ? __vfs_write+0x4d/0x90 + ? vfs_write+0xef/0x240 + ? ksys_write+0xc0/0x160 + ? __ia32_sys_read+0x50/0x50 + ? __close_fd+0x129/0x150 + ? __x64_sys_write+0x43/0x50 + ? do_syscall_64+0x6c/0x200 + ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: e5ff215941d5 ("hugetlb: multiple hstates for multiple page sizes") +Signed-off-by: Muchun Song +Signed-off-by: Andrew Morton +Reviewed-by: Mike Kravetz +Cc: Andi Kleen +Link: http://lkml.kernel.org/r/20200828031146.43035-1-songmuchun@bytedance.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2918,6 +2918,22 @@ static unsigned int cpuset_mems_nr(unsig + } + + #ifdef CONFIG_SYSCTL ++static int proc_hugetlb_doulongvec_minmax(struct ctl_table *table, int write, ++ void *buffer, size_t *length, ++ loff_t *ppos, unsigned long *out) ++{ ++ struct ctl_table dup_table; ++ ++ /* ++ * In order to avoid races with __do_proc_doulongvec_minmax(), we ++ * can duplicate the @table and alter the duplicate of it. ++ */ ++ dup_table = *table; ++ dup_table.data = out; ++ ++ return proc_doulongvec_minmax(&dup_table, write, buffer, length, ppos); ++} ++ + static int hugetlb_sysctl_handler_common(bool obey_mempolicy, + struct ctl_table *table, int write, + void __user *buffer, size_t *length, loff_t *ppos) +@@ -2929,9 +2945,8 @@ static int hugetlb_sysctl_handler_common + if (!hugepages_supported()) + return -EOPNOTSUPP; + +- table->data = &tmp; +- table->maxlen = sizeof(unsigned long); +- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos); ++ ret = proc_hugetlb_doulongvec_minmax(table, write, buffer, length, ppos, ++ &tmp); + if (ret) + goto out; + +@@ -2975,9 +2990,8 @@ int hugetlb_overcommit_handler(struct ct + if (write && hstate_is_gigantic(h)) + return -EINVAL; + +- table->data = &tmp; +- table->maxlen = sizeof(unsigned long); +- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos); ++ ret = proc_hugetlb_doulongvec_minmax(table, write, buffer, length, ppos, ++ &tmp); + if (ret) + goto out; + diff --git a/queue-4.19/net-usb-fix-uninit-was-stored-issue-in-asix_read_phy_addr.patch b/queue-4.19/net-usb-fix-uninit-was-stored-issue-in-asix_read_phy_addr.patch new file mode 100644 index 00000000000..73587de2e4f --- /dev/null +++ b/queue-4.19/net-usb-fix-uninit-was-stored-issue-in-asix_read_phy_addr.patch @@ -0,0 +1,34 @@ +From a092b7233f0e000cc6f2c71a49e2ecc6f917a5fc Mon Sep 17 00:00:00 2001 +From: Himadri Pandya +Date: Thu, 27 Aug 2020 12:23:55 +0530 +Subject: net: usb: Fix uninit-was-stored issue in asix_read_phy_addr() + +From: Himadri Pandya + +commit a092b7233f0e000cc6f2c71a49e2ecc6f917a5fc upstream. + +The buffer size is 2 Bytes and we expect to receive the same amount of +data. But sometimes we receive less data and run into uninit-was-stored +issue upon read. Hence modify the error check on the return value to match +with the buffer size as a prevention. + +Reported-and-tested by: syzbot+a7e220df5a81d1ab400e@syzkaller.appspotmail.com +Signed-off-by: Himadri Pandya +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/asix_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -309,7 +309,7 @@ int asix_read_phy_addr(struct usbnet *de + + netdev_dbg(dev->net, "asix_get_phy_addr()\n"); + +- if (ret < 0) { ++ if (ret < 2) { + netdev_err(dev->net, "Error reading PHYID register: %02x\n", ret); + goto out; + } diff --git a/queue-4.19/series b/queue-4.19/series index 7a7586ed458..404dc327038 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -82,3 +82,7 @@ kvm-arm64-defer-guest-entry-when-an-asynchronous-exception-is-pending.patch kvm-arm64-survive-synchronous-exceptions-caused-by-at-instructions.patch kvm-arm64-set-hcr_el2.ptw-to-prevent-at-taking-synchronous-exception.patch vfio-pci-fix-sr-iov-vf-handling-with-mmio-blocking.patch +checkpatch-fix-the-usage-of-capture-group.patch +mm-hugetlb-fix-a-race-between-hugetlb-sysctl-handlers.patch +cfg80211-regulatory-reject-invalid-hints.patch +net-usb-fix-uninit-was-stored-issue-in-asix_read_phy_addr.patch