From: Sasha Levin Date: Tue, 12 Nov 2019 14:27:15 +0000 (-0500) Subject: fixes for 4.14 X-Git-Tag: v4.4.201~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ee5e1cdea10f0148e0ac67d3f95c9b43934f10cf;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/net-prevent-load-store-tearing-on-sk-sk_stamp.patch b/queue-4.14/net-prevent-load-store-tearing-on-sk-sk_stamp.patch new file mode 100644 index 00000000000..2d651522d48 --- /dev/null +++ b/queue-4.14/net-prevent-load-store-tearing-on-sk-sk_stamp.patch @@ -0,0 +1,50 @@ +From 91fb98db25fe3a5cc3902df381b91b43ca54870e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Nov 2019 21:38:43 -0800 +Subject: net: prevent load/store tearing on sk->sk_stamp + +From: Eric Dumazet + +[ Upstream commit f75359f3ac855940c5718af10ba089b8977bf339 ] + +Add a couple of READ_ONCE() and WRITE_ONCE() to prevent +load-tearing and store-tearing in sock_read_timestamp() +and sock_write_timestamp() + +This might prevent another KCSAN report. + +Fixes: 3a0ed3e96197 ("sock: Make sock->sk_stamp thread-safe") +Signed-off-by: Eric Dumazet +Cc: Deepa Dinamani +Acked-by: Deepa Dinamani +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 7ec4d0bd8d12f..780c6c0a86f04 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2229,7 +2229,7 @@ static inline ktime_t sock_read_timestamp(struct sock *sk) + + return kt; + #else +- return sk->sk_stamp; ++ return READ_ONCE(sk->sk_stamp); + #endif + } + +@@ -2240,7 +2240,7 @@ static inline void sock_write_timestamp(struct sock *sk, ktime_t kt) + sk->sk_stamp = kt; + write_sequnlock(&sk->sk_stamp_seq); + #else +- sk->sk_stamp = kt; ++ WRITE_ONCE(sk->sk_stamp, kt); + #endif + } + +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 3b6f20587d1..628f20255eb 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -102,3 +102,5 @@ x86-apic-32-avoid-bogus-ldr-warnings.patch can-flexcan-disable-completely-the-ecc-mechanism.patch mm-filemap.c-don-t-initiate-writeback-if-mapping-has-no-dirty-pages.patch cgroup-writeback-don-t-switch-wbs-immediately-on-dead-wbs-if-the-memcg-is-dead.patch +usbip-fix-free-of-unallocated-memory-in-vhci-tx.patch +net-prevent-load-store-tearing-on-sk-sk_stamp.patch diff --git a/queue-4.14/usbip-fix-free-of-unallocated-memory-in-vhci-tx.patch b/queue-4.14/usbip-fix-free-of-unallocated-memory-in-vhci-tx.patch new file mode 100644 index 00000000000..007994c346b --- /dev/null +++ b/queue-4.14/usbip-fix-free-of-unallocated-memory-in-vhci-tx.patch @@ -0,0 +1,47 @@ +From 486aabeb576c52b0752a43a8b752cfea5db93530 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2019 18:30:17 +0900 +Subject: usbip: Fix free of unallocated memory in vhci tx + +From: Suwan Kim + +[ Upstream commit d4d8257754c3300ea2a465dadf8d2b02c713c920 ] + +iso_buffer should be set to NULL after use and free in the while loop. +In the case of isochronous URB in the while loop, iso_buffer is +allocated and after sending it to server, buffer is deallocated. And +then, if the next URB in the while loop is not a isochronous pipe, +iso_buffer still holds the previously deallocated buffer address and +kfree tries to free wrong buffer address. + +Fixes: ea44d190764b ("usbip: Implement SG support to vhci-hcd and stub driver") +Reported-by: kbuild test robot +Reported-by: Julia Lawall +Signed-off-by: Suwan Kim +Reviewed-by: Julia Lawall +Acked-by: Shuah Khan +Link: https://lore.kernel.org/r/20191022093017.8027-1-suwan.kim027@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/usbip/vhci_tx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/usbip/vhci_tx.c b/drivers/usb/usbip/vhci_tx.c +index 93c139d884f34..682127d258fdd 100644 +--- a/drivers/usb/usbip/vhci_tx.c ++++ b/drivers/usb/usbip/vhci_tx.c +@@ -161,7 +161,10 @@ static int vhci_send_cmd_submit(struct vhci_device *vdev) + } + + kfree(iov); ++ /* This is only for isochronous case */ + kfree(iso_buffer); ++ iso_buffer = NULL; ++ + usbip_dbg_vhci_tx("send txdata\n"); + + total_size += txsize; +-- +2.20.1 +